bump chef rust version

* new ui using mantine

* resources page

* prog on resource page

* resources and resource layouts

* confirm button and modal

* tweaks

* update details

* topbar updates

* add skeletons for resource implementations

* add resource tables

* add tags to recents cards

* resource page table scrolling

* table component + tags filter

* export toml

* New Resource button

* Fix update details capture closing

* tweaks

* omni search

* refine config

* config tweaks

* implement more configs / resource selector

* add profile page

* provider / account selectors

* container table page

* build config

* deployment config

* fix deployment build version selector

* fix secrets selector

* resource sync config

* mobile topbar and updates

* update details fz sm

* stack config

* terminals page

* create terminal in prog

* create terminal menu

* finish create terminal menu

* terminal pages working

* stack tabs / info

* add executions

* add server header info

* confirm pubkey modal

* improve resource header styling

* FileSource component

* stack service table, move icons.ts

* basic procedure config

* tweak procedure config

* container / image pages

* network / volume pages

* clean up docker resource pages

*  basic log / terminal ui

* reusable log section

* styling

* clean up resource components

* delete in resource header

* log auto select stderr

* fix some bgs

* stack logs with service selector

* stack terminals

* add deployment executions

* use correct icon

* useResource hooks

* build info

* build info

* tweaks

* server tabs

* fix terminal section target

* prog on server tabs

* server stats

* light theme

* start on historical stats

* stack service page

* resource sync tabs

* sync tabs

* more topbar icons

* add settings basic

* add topbar alerts

* tweak stream selector behavior

* tweak alert icon topbar

* improve styling smaller screen

* schedules page and other progress

* onboarding keys

* improve schedule page descriptions

* improve update notifications

* schedule timezone selector

* tag color selector

* finish settings / providers

* use shared-text-update component so settings tables aren't janky

* updates page

* refine updates page

* alert page

* standardize borders

* theme and swarm

* swarm tabs

* swarm node page

* swarm config page

* swarm pages

* swarm task and secret pages

* swarm stack page

* fix stack log service selector in swarm mode

* standard inspect section

* swarm inspect tab

* server and swarm resources tab

* add disable confirm dialog (modal) option for executions

* stack update available indicator

* deployment update available

* add template switch to resource headers

* ResourceHeader + rename

* set editing name onclick

* repo tabs

* server stats table

* refine a bit

* refine deployment / stack header info

* show server stats dashboard. dashboard tables

* action last run in config

* SettingsUsers page

* user page etc

* manage api key

* user base permissions

* color the table multi select

* user group page

* UserAddUserGroup

* active includes deployments / stacks

* improve small screen view

* fix docker pages execution showing

* clean up

* rename frontend to UI

* align profile page styling

* config maintenance windows

* finish maintenance windows

* builder config

* add batch execute dropdown / confirm menu

* batch execute styling

* deploy 2.0.0-dev-117

* improve stats card light theme

* add update page

* improve mobile

* terminal group nowrap

* mobile improvements

* allow unused again

* improve mobile font sizing

* improve mobile updates / alerts

* mobile tabs

* alert page

* add server version mismatch color

* new resource, clearable selector

* Fix build show info tab

* copy resources

* keyboard shortcuts

* server resource header version mismatch

* fix type errors

* container page server multi select

* confirm button clear timeout

* hash compare force uses first 8 for short hash

* fix log height

* copy webhooks

* responsive tweaks

* add icons to server stat sections

* add historical server stats charts

* server stat current card shows usage numbers

* refine current stats more

* fix shortcuts interfering with monaco brave

* clean up unused

* remove v1 frontend

.gitignore

@@ -6,8 +6,4 @@ deno.lock
 .env.development
 .DS_Store
 .idea
-
-/frontend/build
-/lib/ts_client/build
-
 .dev

.vscode/tasks.json

@@ -106,62 +106,62 @@
             "problemMatcher": []
         },
         {
-            "label": "Init Frontend Client",
+            "label": "Init UI Client",
             "type": "shell",
             "command": "yarn link komodo_client && yarn install",
             "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
             },
             "problemMatcher": []
         },
         {
-            "label": "Init Frontend",
+            "label": "Init UI",
             "dependsOn": [
                 "Build TS Client Types",
                 "Init TS Client",
-                "Init Frontend Client"
+                "Init UI Client"
             ],
             "dependsOrder": "sequence",
             "problemMatcher": []
         },
         {
-            "label": "Build Frontend",
+            "label": "Build UI",
             "type": "shell",
             "command": "yarn build",
             "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
             },
             "problemMatcher": []
         },
         {
-            "label": "Prepare Frontend For Run",
+            "label": "Prepare UI For Run",
             "type": "shell",
-            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "command": "cp -r ./client/core/ts/dist/. ui/public/client/.",
             "options": {
                 "cwd": "${workspaceFolder}",
             },
             "dependsOn": [
                 "Build TS Client Types",
-                "Build Frontend"
+                "Build UI"
             ],
             "dependsOrder": "sequence",
             "problemMatcher": []
         },
         {
-            "label": "Run Frontend",
+            "label": "Run UI",
             "type": "shell",
             "command": "yarn dev",
             "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
             },
-            "dependsOn": ["Prepare Frontend For Run"],
+            "dependsOn": ["Prepare UI For Run"],
             "problemMatcher": []
         },
         {
             "label": "Init",
             "dependsOn": [
                 "Build Backend",
-                "Init Frontend"
+                "Init UI"
             ],
             "dependsOrder": "sequence",
             "problemMatcher": []
@@ -171,7 +171,7 @@
             "dependsOn": [
                 "Run Core",
                 "Run Periphery",
-                "Run Frontend"
+                "Run UI"
             ],
             "problemMatcher": []
         },

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 ]
 
 [workspace.package]
-version = "2.0.0-dev-86"
+version = "2.0.0-dev-118"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
@@ -22,128 +22,117 @@ strip = "debuginfo"
 # LOCAL
 komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
-environment_file = { path = "lib/environment_file" }
 environment = { path = "lib/environment" }
 interpolate = { path = "lib/interpolate" }
-secret_file = { path = "lib/secret_file" }
 formatting = { path = "lib/formatting" }
 transport = { path = "lib/transport" }
 database = { path = "lib/database" }
 encoding = { path = "lib/encoding" }
-response = { path = "lib/response" }
 command = { path = "lib/command" }
-config = { path = "lib/config" }
-logger = { path = "lib/logger" }
-cache = { path = "lib/cache" }
-noise = { path = "lib/noise" }
 git = { path = "lib/git" }
 
 # MOGH
-serror = { version = "0.5.3", default-features = false }
 slack = { version = "2.0.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+mogh_error = { version = "1.0.3", default-features = false }
 derive_default_builder = "0.1.8"
-derive_empty_traits = "0.1.0"
 async_timing_util = "1.1.0"
-partial_derive2 = "0.4.3"
-derive_variants = "1.0.0"
+mogh_auth_client = "1.2.2"
+mogh_auth_server = "1.2.6"
+mogh_secret_file = "1.0.1"
+mogh_validations = "1.0.1"
+mogh_rate_limit = "1.0.1"
+partial_derive2 = "0.4.5"
 mongo_indexed = "2.0.2"
-resolver_api = "3.0.0"
-toml_pretty = "1.2.0"
+mogh_resolver = "1.0.0"
+mogh_config = "1.0.2"
+mogh_logger = "1.3.1"
+mogh_server = "1.4.4"
+toml_pretty = "2.0.0"
+mogh_cache = "1.1.1"
+mogh_pki = "1.1.0"
 mungos = "3.2.2"
 svi = "1.2.0"
 
 # ASYNC
-reqwest = { version = "0.12.24", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
-tokio = { version = "1.48.0", features = ["full"] }
-tokio-util = { version = "0.7.16", features = ["io", "codec"] }
-tokio-stream = { version = "0.1.17", features = ["sync"] }
+reqwest = { version = "0.13.2", default-features = false, features = ["json", "stream", "form", "query", "rustls"] }
+tokio = { version = "1.49.0", features = ["full"] }
+tokio-util = { version = "0.7.18", features = ["io", "codec"] }
+tokio-stream = { version = "0.1.18", features = ["sync"] }
 pin-project-lite = "0.2.16"
-futures-util = "0.3.31"
-arc-swap = "1.7.1"
+futures-util = "0.3.32"
+arc-swap = "1.8.2"
 
 # SERVER
 tokio-tungstenite = { version = "0.28.0", features = ["rustls-tls-native-roots"] }
-axum-extra = { version = "0.10.3", features = ["typed-header"] }
-tower-http = { version = "0.6.6", features = ["fs", "cors"] }
-axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-axum = { version = "0.8.6", features = ["ws", "json", "macros"] }
+axum = { version = "0.8.8", features = ["ws", "json", "macros"] }
+axum-extra = { version = "0.12.5", features = ["typed-header"] }
+
+# OPENAPI
+utoipa-scalar = { version = "0.3.0", features = ["axum"] }
+utoipa = "5.4.0"
 
 # SER/DE
 ipnetwork = { version = "0.21.1", features = ["serde"] }
-indexmap = { version = "2.12.0", features = ["serde"] }
+indexmap = { version = "2.13.0", features = ["serde"] }
 serde = { version = "1.0.227", features = ["derive"] }
-strum = { version = "0.27.2", features = ["derive"] }
+strum = { version = "0.28.0", features = ["derive"] }
 bson = { version = "2.15.0" } # must keep in sync with mongodb version
+toml = "0.9.11+spec-1.1.0"
 serde_yaml_ng = "0.10.0"
-serde_json = "1.0.145"
-serde_qs = "0.15.0"
-toml = "0.9.8"
-url = "2.5.7"
+serde_json = "1.0.149"
+serde_qs = "1.0.0"
+url = "2.5.8"
 
 # ERROR
-anyhow = "1.0.100"
-thiserror = "2.0.17"
+anyhow = "1.0.102"
+thiserror = "2.0.18"
 
 # LOGGING
-opentelemetry-otlp = { version = "0.31.0", features = ["tls-roots", "reqwest-rustls"] }
-opentelemetry_sdk = { version = "0.31.0", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.20", features = ["json"] }
-opentelemetry-semantic-conventions = "0.31.0"
-tracing-opentelemetry = "0.32.0"
-opentelemetry = "0.31.0"
-tracing = "0.1.41"
+tracing = "0.1.44"
 
 # CONFIG
-clap = { version = "4.5.50", features = ["derive"] }
+clap = { version = "4.5.60", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"
 
 # CRYPTO / AUTH
-uuid = { version = "1.18.1", features = ["v4", "fast-rng", "serde"] }
-jsonwebtoken = { version = "10.1.0", features = ["aws_lc_rs"] } # locked back with octorust
-rustls = { version = "0.23.34", features = ["aws-lc-rs"] }
-pem-rfc7468 = { version = "0.7.0", features = ["alloc"] }
-openidconnect = "4.0.1"
+uuid = { version = "1.21.0", features = ["v4", "fast-rng", "serde"] }
+rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
+data-encoding = "2.10.0"
 urlencoding = "2.1.3"
-bcrypt = "0.17.1"
-base64 = "0.22.1"
-pkcs8 = "0.10.2"
-snow = "0.10.0"
+bcrypt = "0.18.0"
 hmac = "0.12.1"
 sha1 = "0.10.6"
 sha2 = "0.10.9"
-rand = "0.9.2"
+rand = "0.10.0"
 hex = "0.4.3"
-spki = "0.7.3"
-der = "0.7.10"
 
 # SYSTEM
 hickory-resolver = "0.25.2"
 portable-pty = "0.9.0"
 shell-escape = "0.1.5"
 crossterm = "0.29.0"
-bollard = "0.19.3"
-sysinfo = "0.37.1"
+bollard = "0.20.1"
+sysinfo = "0.38.2"
 shlex = "1.3.0"
 
 # CLOUD
-aws-config = "1.8.8"
-aws-sdk-ec2 = "1.176.0"
-aws-credential-types = "1.2.8"
+aws-config = "1.8.14"
+aws-sdk-ec2 = "1.214.0"
+aws-credential-types = "1.2.13"
 
 ## CRON
-english-to-cron = "0.1.6"
+english-to-cron = "0.1.7"
 chrono-tz = "0.10.4"
-chrono = "0.4.42"
-croner = "3.0.0"
+chrono = "0.4.44"
+croner = "3.0.1"
 
 # MISC
-async-compression = { version = "0.4.32", features = ["tokio", "gzip"] }
+async-compression = { version = "0.4.41", features = ["tokio", "gzip"] }
 derive_builder = "0.20.2"
-comfy-table = "7.2.1"
-typeshare = "1.0.4"
-dashmap = "6.1.0"
+comfy-table = "7.2.2"
+typeshare = "1.0.5"
 wildcard = "0.3.0"
-colored = "3.0.0"
-bytes = "1.10.1"
-regex = "1.12.2"
+colored = "3.1.1"
+bytes = "1.11.1"
+regex = "1.12.3"

bin/binaries.Dockerfile

@@ -1,7 +1,7 @@
 ## Builds the Komodo Core, Periphery, and Util binaries
-## for a specific architecture.
+## for a specific architecture. Requires OpenSSL 3 or later.
 
-FROM rust:1.90.0-bullseye AS builder
+FROM rust:1.93.1-bookworm AS builder
 RUN cargo install cargo-strip
 
 WORKDIR /builder

bin/chef.binaries.Dockerfile

@@ -1,9 +1,9 @@
 ## Builds the Komodo Core, Periphery, and Util binaries
-## for a specific architecture.
+## for a specific architecture. Requires OpenSSL 3 or later.
 
 ## Uses chef for dependency caching to help speed up back-to-back builds.
 
-FROM lukemathwalker/cargo-chef:latest-rust-1.90.0-bullseye AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.93.1-bookworm AS chef
 WORKDIR /builder
 
 # Plan just the RECIPE to see if things have changed

bin/cli/Cargo.toml

@@ -14,12 +14,12 @@ path = "src/main.rs"
 
 [dependencies]
 # local
-environment_file.workspace = true
-komodo_client.workspace = true
+komodo_client = { workspace = true, features = ["cli"] }
+mogh_secret_file.workspace = true
+mogh_pki.workspace = true
 database.workspace = true
-config.workspace = true
-logger.workspace = true
-noise.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
 # external
 futures-util.workspace = true
 comfy-table.workspace = true

bin/cli/aio.Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:1.90.0-bullseye AS builder
+FROM rust:1.93.1-bullseye AS builder
 RUN cargo install cargo-strip
 
 WORKDIR /builder

bin/cli/src/command/database.rs

@@ -358,6 +358,11 @@ async fn v1_downgrade(yes: bool) -> anyhow::Result<()> {
     .await
     .context("Failed to downgrade Server schema")?;
 
+  db.collection::<Document>("Deployment")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Deployment schema")?;
+
   info!(
     "V1 Downgrade complete. Ready to downgrade to komodo-core:1 ✅"
   );

bin/cli/src/command/execute.rs

@@ -221,6 +221,33 @@ pub async fn handle(
     Execution::SendAlert(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::RemoveSwarmNodes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmStacks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmServices(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmConfigs(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmSecrets(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::ClearRepoCache(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -488,6 +515,42 @@ pub async fn handle(
       .execute(request)
       .await
       .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmNodes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmStacks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmServices(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmConfigs(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmSecrets(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
     Execution::ClearRepoCache(request) => client
       .execute(request)
       .await

bin/cli/src/command/update/user.rs

@@ -26,6 +26,9 @@ pub async fn update(
     UpdateUserCommand::SuperAdmin { enabled, yes } => {
       update_super_admin(username, *enabled, *yes).await
     }
+    UpdateUserCommand::Clear2fa { yes } => {
+      clear_2fa(username, *yes).await
+    }
   }
 }
 
@@ -120,3 +123,20 @@ async fn update_super_admin(
 
   Ok(())
 }
+
+async fn clear_2fa(username: &str, yes: bool) -> anyhow::Result<()> {
+  println!("\n{}: Clear 2FA Methods\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+
+  crate::command::wait_for_enter("clear user 2FA methods", yes)?;
+
+  info!("Clearing 2FA methods...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  db.clear_user_2fa_methods(username).await?;
+
+  info!("2FA methods cleared ✅");
+
+  Ok(())
+}

bin/cli/src/config.rs

@@ -3,7 +3,6 @@ use std::{path::PathBuf, sync::OnceLock};
 use anyhow::Context;
 use clap::Parser;
 use colored::Colorize;
-use environment_file::maybe_read_item_from_file;
 use komodo_client::entities::{
   config::{
     DatabaseConfig,
@@ -14,6 +13,7 @@ use komodo_client::entities::{
   },
   logger::LogConfig,
 };
+use mogh_secret_file::maybe_read_item_from_file;
 
 pub fn cli_args() -> &'static CliArgs {
   static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
@@ -74,7 +74,7 @@ pub fn cli_config() -> &'static CliConfig {
         "Config File Keywords".dimmed(),
       );
     }
-    let mut unparsed_config = (config::ConfigLoader {
+    let mut unparsed_config = (mogh_config::ConfigLoader {
       paths: &config_paths
         .iter()
         .map(PathBuf::as_path)
@@ -166,7 +166,7 @@ pub fn cli_config() -> &'static CliConfig {
       else {
         panic!("Profile config is not Object type.");
       };
-      config::merge_config(
+      mogh_config::merge_config(
         unparsed_config,
         profile_config.clone(),
         env.komodo_cli_merge_nested_config,

bin/cli/src/main.rs

@@ -12,7 +12,7 @@ mod config;
 
 async fn app() -> anyhow::Result<()> {
   dotenvy::dotenv().ok();
-  logger::init(&config::cli_config().cli_logging)?;
+  mogh_logger::init(&config::cli_config().cli_logging)?;
   let args = config::cli_args();
   let env = config::cli_env();
   let debug_load =
@@ -65,7 +65,7 @@ async fn app() -> anyhow::Result<()> {
       command::terminal::handle_attach(attach).await
     }
     args::Command::Key { command } => {
-      noise::key::command::handle(command).await
+      mogh_pki::cli::handle(command, mogh_pki::PkiKind::Mutual).await
     }
     args::Command::Database { command } => {
       command::database::handle(command).await

bin/core/Cargo.toml

@@ -15,63 +15,62 @@ path = "src/main.rs"
 
 [dependencies]
 # local
-komodo_client = { workspace = true, features = ["mongo"] }
+komodo_client = { workspace = true, features = ["core"] }
 periphery_client.workspace = true
-environment_file.workspace = true
+mogh_validations.workspace = true
 interpolate.workspace = true
-secret_file.workspace = true
+mogh_secret_file.workspace = true
 formatting.workspace = true
+mogh_rate_limit.workspace = true
 transport.workspace = true
 database.workspace = true
 encoding.workspace = true
-response.workspace = true
 command.workspace = true
-config.workspace = true
-logger.workspace = true
-cache.workspace = true
-noise.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
+mogh_cache.workspace = true
+mogh_pki.workspace = true
 git.workspace = true
 # mogh
-serror = { workspace = true, features = ["axum"] }
+mogh_error = { workspace = true, features = ["axum"] }
+mogh_auth_client = { workspace = true, features = ["utoipa"] }
+mogh_auth_server.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
-derive_variants.workspace = true
-resolver_api.workspace = true
+mogh_resolver.workspace = true
+mogh_server.workspace = true
 toml_pretty.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
 aws-credential-types.workspace = true
 english-to-cron.workspace = true
-openidconnect.workspace = true
-jsonwebtoken.workspace = true
+data-encoding.workspace = true
+serde_yaml_ng.workspace = true
+utoipa-scalar.workspace = true
 futures-util.workspace = true
-axum-server.workspace = true
-urlencoding.workspace = true
 aws-sdk-ec2.workspace = true
+urlencoding.workspace = true
 aws-config.workspace = true
 tokio-util.workspace = true
 axum-extra.workspace = true
-tower-http.workspace = true
 serde_json.workspace = true
-serde_yaml_ng.workspace = true
-serde_qs.workspace = true
 typeshare.workspace = true
 chrono-tz.workspace = true
 indexmap.workspace = true
 wildcard.workspace = true
 arc-swap.workspace = true
+serde_qs.workspace = true
 colored.workspace = true
-dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
 dotenvy.workspace = true
 anyhow.workspace = true
+bcrypt.workspace = true
 croner.workspace = true
 chrono.workspace = true
-bcrypt.workspace = true
-base64.workspace = true
 rustls.workspace = true
+utoipa.workspace = true
 bytes.workspace = true
 tokio.workspace = true
 serde.workspace = true

bin/core/aio.Dockerfile

@@ -1,7 +1,7 @@
 ## All in one, multi stage compile + runtime Docker build for your architecture.
 
 # Build Core
-FROM rust:1.90.0-trixie AS core-builder
+FROM rust:1.93.1-trixie AS core-builder
 RUN cargo install cargo-strip
 
 WORKDIR /builder
@@ -17,13 +17,13 @@ RUN cargo build -p komodo_core --release && \
   cargo build -p komodo_cli --release && \
   cargo strip
 
-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
+# Build UI
+FROM node:22.12-alpine AS ui-builder
 WORKDIR /builder
-COPY ./frontend ./frontend
+COPY ./ui ./ui
 COPY ./client/core/ts ./client
 RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link komodo_client && yarn && yarn build
+RUN cd ui && yarn link komodo_client && yarn && yarn build
 
 # Final Image
 FROM debian:trixie-slim
@@ -37,7 +37,7 @@ WORKDIR /app
 
 # Copy
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=ui-builder /builder/ui/dist /app/ui
 COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
 COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno

bin/core/multi-arch.Dockerfile

@@ -3,14 +3,14 @@
 ## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
 
 ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
-ARG FRONTEND_IMAGE=ghcr.io/moghtech/komodo-frontend:latest
+ARG UI_IMAGE=ghcr.io/moghtech/komodo-ui:latest
 ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
 ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
 
 # This is required to work with COPY --from
 FROM ${X86_64_BINARIES} AS x86_64
 FROM ${AARCH64_BINARIES} AS aarch64
-FROM ${FRONTEND_IMAGE} AS frontend
+FROM ${UI_IMAGE} AS ui
 
 # Final Image
 FROM debian:trixie-slim
@@ -33,9 +33,9 @@ COPY --from=x86_64 /km /app/km/linux/amd64
 COPY --from=aarch64 /km /app/km/linux/arm64
 RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km
 
-# Copy default config / static frontend / deno binary
+# Copy default config / static ui / deno binary
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend /frontend /app/frontend
+COPY --from=ui /ui /app/ui
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
 
 # Set $DENO_DIR and preload external Deno deps

bin/core/single-arch.Dockerfile

@@ -6,13 +6,13 @@ ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
 # This is required to work with COPY --from
 FROM ${BINARIES_IMAGE} AS binaries
 
-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
+# Build UI
+FROM node:22.12-alpine AS ui-builder
 WORKDIR /builder
-COPY ./frontend ./frontend
+COPY ./ui ./ui
 COPY ./client/core/ts ./client
 RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link komodo_client && yarn && yarn build
+RUN cd ui && yarn link komodo_client && yarn && yarn build
 
 FROM debian:trixie-slim
 
@@ -22,7 +22,7 @@ RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 	
 # Copy
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=ui-builder /builder/ui/dist /app/ui
 COPY --from=binaries /core /usr/local/bin/core
 COPY --from=binaries /km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno

bin/core/src/alert/discord.rs

@@ -16,6 +16,24 @@ pub async fn send_alert(
         "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
       )
     }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | Swarm **{name}** is now **healthy**\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | Swarm **{name}** is **unhealthy** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
     AlertData::ServerVersionMismatch {
       id,
       name,
@@ -108,6 +126,8 @@ pub async fn send_alert(
     AlertData::ContainerStateChange {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       from,
@@ -115,37 +135,64 @@ pub async fn send_alert(
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
       let to = fmt_docker_container_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "📦 Deployment **{name}** is now **{to}**\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+        "📦 Deployment **{name}** is now **{to}**{target}\nprevious: **{from}**\n{link}"
       )
     }
     AlertData::DeploymentImageUpdateAvailable {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Deployment **{name}** has an update available\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+        "⬆ Deployment **{name}** has an update available{target}\nimage: **{image}**\n{link}"
       )
     }
     AlertData::DeploymentAutoUpdated {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Deployment **{name}** was updated automatically ⏫\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+        "⬆ Deployment **{name}** was updated automatically ⏫{target}\nimage: **{image}**\n{link}"
       )
     }
     AlertData::StackStateChange {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       from,
@@ -153,26 +200,44 @@ pub async fn send_alert(
     } => {
       let link = resource_link(ResourceTargetVariant::Stack, id);
       let to = fmt_stack_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "🥞 Stack **{name}** is now {to}\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+        "🥞 Stack **{name}** is now {to}{target}\nprevious: **{from}**\n{link}"
       )
     }
     AlertData::StackImageUpdateAvailable {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       service,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Stack **{name}** has an update available\nserver: **{server_name}**\nservice: **{service}**\nimage: **{image}**\n{link}"
+        "⬆ Stack **{name}** has an update available{target}\nservice: **{service}**\nimage: **{image}**\n{link}"
       )
     }
     AlertData::StackAutoUpdated {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       images,
@@ -181,8 +246,15 @@ pub async fn send_alert(
       let images_label =
         if images.len() > 1 { "images" } else { "image" };
       let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Stack **{name}** was updated automatically ⏫\nserver: **{server_name}**\n{images_label}: **{images}**\n{link}"
+        "⬆ Stack **{name}** was updated automatically ⏫{target}\n{images_label}: **{images}**\n{link}"
       )
     }
     AlertData::AwsBuilderTerminationFailed {
@@ -232,9 +304,9 @@ pub async fn send_alert(
       format!(
         "{level} | {message}{}",
         if details.is_empty() {
-          format_args!("")
+          String::new()
         } else {
-          format_args!("\n{details}")
+          format!("\n{details}")
         }
       )
     }
@@ -264,7 +336,7 @@ pub async fn send_alert(
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with slack request: {sanitized_error}"
+        "Error with request to Discord: {sanitized_error}"
       ))
     })
 }

bin/core/src/alert/mod.rs

@@ -1,6 +1,5 @@
 use anyhow::{Context, anyhow};
 use database::mungos::{find::find_collect, mongodb::bson::doc};
-use derive_variants::ExtractVariant;
 use futures_util::future::join_all;
 use interpolate::Interpolator;
 use komodo_client::entities::{
@@ -81,14 +80,14 @@ pub async fn send_alert_to_alerter(
     return Ok(());
   }
 
-  let alert_type = alert.data.extract_variant();
+  let alert_variant: AlertDataVariant = (&alert.data).into();
 
   // In the test case, we don't want the filters inside this
   // block to stop the test from being sent to the alerting endpoint.
-  if alert_type != AlertDataVariant::Test {
+  if alert_variant != AlertDataVariant::Test {
     // Don't send if alert type not configured on the alerter
     if !alerter.config.alert_types.is_empty()
-      && !alerter.config.alert_types.contains(&alert_type)
+      && !alerter.config.alert_types.contains(&alert_variant)
     {
       return Ok(());
     }
@@ -252,6 +251,22 @@ fn standard_alert_content(alert: &Alert) -> String {
         "{level} | If you see this message, then Alerter {name} is working\n{link}",
       )
     }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | Swarm {name} is now healthy\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          format!("{level} | Swarm {name} is unhealthy ❌\n{link}{err}")
+        }
+        _ => unreachable!(),
+      }
+    }
     AlertData::ServerVersionMismatch {
       id,
       name,
@@ -342,6 +357,8 @@ fn standard_alert_content(alert: &Alert) -> String {
     AlertData::ContainerStateChange {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       from,
@@ -349,37 +366,64 @@ fn standard_alert_content(alert: &Alert) -> String {
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
       let to_state = fmt_docker_container_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+        "📦Deployment {name} is now {to_state}{target}\nprevious: {from}\n{link}",
       )
     }
     AlertData::DeploymentImageUpdateAvailable {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
+        "⬆ Deployment {name} has an update available{target}\nimage: {image}\n{link}",
       )
     }
     AlertData::DeploymentAutoUpdated {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
+        "⬆ Deployment {name} was updated automatically{target}\nimage: {image}\n{link}",
       )
     }
     AlertData::StackStateChange {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       from,
@@ -387,26 +431,44 @@ fn standard_alert_content(alert: &Alert) -> String {
     } => {
       let link = resource_link(ResourceTargetVariant::Stack, id);
       let to_state = fmt_stack_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
+        "🥞 Stack {name} is now {to_state}{target}\nprevious: {from}\n{link}",
       )
     }
     AlertData::StackImageUpdateAvailable {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       service,
       image,
     } => {
       let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
+        "⬆ Stack {name} has an update available{target}\nservice: {service}\nimage: {image}\n{link}",
       )
     }
     AlertData::StackAutoUpdated {
       id,
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
       server_name,
       images,
@@ -415,8 +477,15 @@ fn standard_alert_content(alert: &Alert) -> String {
       let images_label =
         if images.len() > 1 { "images" } else { "image" };
       let images_str = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
       format!(
-        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
+        "⬆ Stack {name} was updated automatically ⏫{target}\n{images_label}: {images_str}\n{link}",
       )
     }
     AlertData::AwsBuilderTerminationFailed {
@@ -466,9 +535,9 @@ fn standard_alert_content(alert: &Alert) -> String {
       format!(
         "{level} | {message}{}",
         if details.is_empty() {
-          format_args!("")
+          String::new()
         } else {
-          format_args!("\n{details}")
+          format!("\n{details}")
         }
       )
     }

bin/core/src/alert/ntfy.rs

@@ -31,7 +31,7 @@ pub async fn send_alert(
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with slack request: {sanitized_error}"
+        "Error with request to Ntfy: {sanitized_error}"
       ))
     })
 }

bin/core/src/alert/pushover.rs

@@ -28,7 +28,7 @@ pub async fn send_alert(
     let sanitized_error =
       svi::replace_in_string(&format!("{e:?}"), &replacers);
     anyhow::Error::msg(format!(
-      "Error with slack request: {sanitized_error}"
+      "Error with request to Pushover: {sanitized_error}"
     ))
   })
 }

bin/core/src/alert/slack.rs

@@ -24,6 +24,41 @@ pub async fn send_alert(
       ];
       (text, blocks.into())
     }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text =
+            format!("{level} | Swarm *{name}* is now *healthy*");
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is now *healthy*"
+            )),
+          ];
+          (text, blocks.into())
+        }
+        SeverityLevel::Critical => {
+          let text =
+            format!("{level} | Swarm *{name}* is *unhealthy* ❌");
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is *unhealthy* ❌{err}"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => unreachable!(),
+      }
+    }
     AlertData::ServerVersionMismatch {
       id,
       name,
@@ -67,7 +102,7 @@ pub async fn send_alert(
           let blocks = vec![
             Block::header(level),
             Block::section(format!(
-              "*{name}*{region} is now *connnected*"
+              "*{name}*{region} is now *connected*"
             )),
           ];
           (text, blocks.into())
@@ -239,19 +274,26 @@ pub async fn send_alert(
     }
     AlertData::ContainerStateChange {
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
       server_name,
       from,
       to,
       id,
-      ..
     } => {
       let to = fmt_docker_container_state(to);
       let text = format!("📦 Container *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "server: {server_name}\nprevious: {from}",
-        )),
+        Block::section(format!("{target}previous: {from}",)),
         Block::section(resource_link(
           ResourceTargetVariant::Deployment,
           id,
@@ -262,17 +304,24 @@ pub async fn send_alert(
     AlertData::DeploymentImageUpdateAvailable {
       id,
       name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
+      server_name,
       image,
     } => {
       let text =
         format!("⬆ Deployment *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nimage: *{image}*",
-        )),
+        Block::section(format!("{target}image: *{image}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Deployment,
           id,
@@ -283,17 +332,24 @@ pub async fn send_alert(
     AlertData::DeploymentAutoUpdated {
       id,
       name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
+      server_name,
       image,
     } => {
       let text =
         format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nimage: *{image}*",
-        )),
+        Block::section(format!("{target}image: *{image}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Deployment,
           id,
@@ -303,19 +359,26 @@ pub async fn send_alert(
     }
     AlertData::StackStateChange {
       name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
       server_name,
       from,
       to,
       id,
-      ..
     } => {
       let to = fmt_stack_state(to);
       let text = format!("🥞 Stack *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nprevious: *{from}*",
-        )),
+        Block::section(format!("{target}previous: *{from}*",)),
         Block::section(resource_link(
           ResourceTargetVariant::Stack,
           id,
@@ -326,16 +389,25 @@ pub async fn send_alert(
     AlertData::StackImageUpdateAvailable {
       id,
       name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
+      server_name,
       service,
       image,
     } => {
       let text = format!("⬆ Stack *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
         Block::section(format!(
-          "server: *{server_name}*\nservice: *{service}*\nimage: *{image}*",
+          "{target}service: *{service}*\nimage: *{image}*",
         )),
         Block::section(resource_link(
           ResourceTargetVariant::Stack,
@@ -347,8 +419,10 @@ pub async fn send_alert(
     AlertData::StackAutoUpdated {
       id,
       name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
       server_id: _server_id,
+      server_name,
       images,
     } => {
       let text =
@@ -356,11 +430,18 @@ pub async fn send_alert(
       let images_label =
         if images.len() > 1 { "images" } else { "image" };
       let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
       let blocks = vec![
         Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\n{images_label}: *{images}*",
-        )),
+        Block::section(
+          format!("{target}{images_label}: *{images}*",),
+        ),
         Block::section(resource_link(
           ResourceTargetVariant::Stack,
           id,
@@ -491,7 +572,7 @@ pub async fn send_alert(
       let sanitized_error =
         svi::replace_in_string(&format!("{e:?}"), &replacers);
       anyhow::Error::msg(format!(
-        "Error with slack request: {sanitized_error}"
+        "Error with request to Slack: {sanitized_error}"
       ))
     })?;
   Ok(())

bin/core/src/api/auth.rs

@@ -1,159 +0,0 @@
-use std::{sync::OnceLock, time::Instant};
-
-use axum::{Router, extract::Path, http::HeaderMap, routing::post};
-use derive_variants::{EnumVariants, ExtractVariant};
-use komodo_client::{api::auth::*, entities::user::User};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use response::Response;
-use serde::{Deserialize, Serialize};
-use serde_json::json;
-use serror::{AddStatusCode, Json};
-use typeshare::typeshare;
-use uuid::Uuid;
-
-use crate::{
-  auth::{
-    get_user_id_from_headers,
-    github::{self, client::github_oauth_client},
-    google::{self, client::google_oauth_client},
-    oidc::{self, client::oidc_client},
-  },
-  config::core_config,
-  helpers::query::get_user,
-  state::jwt_client,
-};
-
-use super::Variant;
-
-#[derive(Default)]
-pub struct AuthArgs {
-  pub headers: HeaderMap,
-}
-
-#[typeshare]
-#[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
-)]
-#[args(AuthArgs)]
-#[response(Response)]
-#[error(serror::Error)]
-#[variant_derive(Debug)]
-#[serde(tag = "type", content = "params")]
-#[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
-pub enum AuthRequest {
-  GetLoginOptions(GetLoginOptions),
-  SignUpLocalUser(SignUpLocalUser),
-  LoginLocalUser(LoginLocalUser),
-  ExchangeForJwt(ExchangeForJwt),
-  GetUser(GetUser),
-}
-
-pub fn router() -> Router {
-  let mut router = Router::new()
-    .route("/", post(handler))
-    .route("/{variant}", post(variant_handler));
-
-  if core_config().local_auth {
-    info!("🔑 Local Login Enabled");
-  }
-
-  if github_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
-    router = router.nest("/github", github::router())
-  }
-
-  if google_oauth_client().is_some() {
-    info!("🔑 Google Login Enabled");
-    router = router.nest("/google", google::router())
-  }
-
-  if core_config().oidc_enabled {
-    info!("🔑 OIDC Login Enabled");
-    router = router.nest("/oidc", oidc::router())
-  }
-
-  router
-}
-
-async fn variant_handler(
-  headers: HeaderMap,
-  Path(Variant { variant }): Path<Variant>,
-  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
-  let req: AuthRequest = serde_json::from_value(json!({
-    "type": variant,
-    "params": params,
-  }))?;
-  handler(headers, Json(req)).await
-}
-
-async fn handler(
-  headers: HeaderMap,
-  Json(request): Json<AuthRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
-  let req_id = Uuid::new_v4();
-  debug!(
-    "/auth request {req_id} | METHOD: {:?}",
-    request.extract_variant()
-  );
-  let res = request.resolve(&AuthArgs { headers }).await;
-  if let Err(e) = &res {
-    debug!("/auth request {req_id} | error: {:#}", e.error);
-  }
-  let elapsed = timer.elapsed();
-  debug!("/auth request {req_id} | resolve time: {elapsed:?}");
-  res.map(|res| res.0)
-}
-
-fn login_options_reponse() -> &'static GetLoginOptionsResponse {
-  static GET_LOGIN_OPTIONS_RESPONSE: OnceLock<
-    GetLoginOptionsResponse,
-  > = OnceLock::new();
-  GET_LOGIN_OPTIONS_RESPONSE.get_or_init(|| {
-    let config = core_config();
-    GetLoginOptionsResponse {
-      local: config.local_auth,
-      github: github_oauth_client().is_some(),
-      google: google_oauth_client().is_some(),
-      oidc: oidc_client().load().is_some(),
-      registration_disabled: config.disable_user_registration,
-    }
-  })
-}
-
-impl Resolve<AuthArgs> for GetLoginOptions {
-  async fn resolve(
-    self,
-    _: &AuthArgs,
-  ) -> serror::Result<GetLoginOptionsResponse> {
-    Ok(*login_options_reponse())
-  }
-}
-
-impl Resolve<AuthArgs> for ExchangeForJwt {
-  async fn resolve(
-    self,
-    _: &AuthArgs,
-  ) -> serror::Result<ExchangeForJwtResponse> {
-    jwt_client()
-      .redeem_exchange_token(&self.token)
-      .await
-      .map_err(Into::into)
-  }
-}
-
-impl Resolve<AuthArgs> for GetUser {
-  async fn resolve(
-    self,
-    AuthArgs { headers }: &AuthArgs,
-  ) -> serror::Result<User> {
-    let user_id = get_user_id_from_headers(headers)
-      .await
-      .status_code(StatusCode::UNAUTHORIZED)?;
-    get_user(&user_id)
-      .await
-      .status_code(StatusCode::UNAUTHORIZED)
-  }
-}

bin/core/src/api/execute/action.rs

@@ -6,16 +6,12 @@ use std::{
 
 use anyhow::Context;
 use command::run_komodo_standard_command;
-use config::merge_objects;
 use database::mungos::{
   by_id::update_one_by_id, mongodb::bson::to_document,
 };
 use interpolate::Interpolator;
 use komodo_client::{
-  api::{
-    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
-    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
-  },
+  api::execute::{BatchExecutionResponse, BatchRunAction, RunAction},
   entities::{
     FileFormat, JsonObject,
     action::Action,
@@ -29,12 +25,20 @@ use komodo_client::{
   },
   parsers::parse_key_value_list,
 };
-use resolver_api::Resolve;
+use mogh_auth_client::api::manage::{
+  CreateApiKey, CreateApiKeyResponse,
+};
+use mogh_auth_server::api::manage::api_key::{
+  create_api_key, delete_api_key,
+};
+use mogh_config::merge_objects;
+use mogh_resolver::Resolve;
 use tokio::fs;
 
 use crate::{
   alert::send_alerts,
-  api::{execute::ExecuteRequest, user::UserArgs},
+  api::execute::ExecuteRequest,
+  auth::KomodoAuthImpl,
   config::core_config,
   helpers::{
     query::{VariablesAndSecrets, get_variables_and_secrets},
@@ -70,7 +74,7 @@ impl Resolve<ExecuteArgs> for BatchRunAction {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchRunAction>(&self.pattern, user)
         .await?,
@@ -92,7 +96,7 @@ impl Resolve<ExecuteArgs> for RunAction {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let mut action = get_check_permissions::<Action>(
       &self.action,
       user,
@@ -135,72 +139,87 @@ impl Resolve<ExecuteArgs> for RunAction {
     let args = serde_json::to_string(&args)
       .context("Failed to serialize action run arguments")?;
 
-    let CreateApiKeyResponse { key, secret } = CreateApiKey {
-      name: update.id.clone(),
-      expires: 0,
-    }
-    .resolve(&UserArgs {
-      user: action_user().to_owned(),
-    })
+    let CreateApiKeyResponse { key, secret } = create_api_key(
+      &KomodoAuthImpl,
+      action_user().id.clone(),
+      CreateApiKey {
+        name: update.id.clone(),
+        expires: 0,
+      },
+    )
     .await?;
 
-    let contents = &mut action.config.file_contents;
+    // Do next steps in seperate error handling block,
+    // and delete the API key before unwrapping the error.
+    // If Komodo shuts down during these steps, there will
+    // be a dangling api key in the DB with user_id: "000000000000000000000002".
+    // These need to be
+    let res = async {
+      let contents = &mut action.config.file_contents;
 
-    // Wrap the file contents in the execution context.
-    *contents = full_contents(contents, &args, &key, &secret);
+      // Wrap the file contents in the execution context.
+      *contents = full_contents(contents, &args, &key, &secret);
 
-    let replacers =
-      interpolate(contents, &mut update, key.clone(), secret.clone())
-        .await?
-        .into_iter()
-        .collect::<Vec<_>>();
+      let replacers = interpolate(
+        contents,
+        &mut update,
+        key.clone(),
+        secret.clone(),
+      )
+      .await?
+      .into_iter()
+      .collect::<Vec<_>>();
 
-    let file = format!("{}.ts", random_string(10));
-    let path = core_config().action_directory.join(&file);
+      let file = format!("{}.ts", random_string(10));
+      let path = core_config().action_directory.join(&file);
 
-    secret_file::write_async(&path, contents)
-      .await
-      .with_context(|| {
-        format!("Failed to write action file to {path:?}")
-      })?;
+      mogh_secret_file::write_async(&path, contents)
+        .await
+        .with_context(|| {
+          format!("Failed to write action file to {path:?}")
+        })?;
 
-    let CoreConfig { ssl_enabled, .. } = core_config();
+      let CoreConfig { ssl_enabled, .. } = core_config();
 
-    let https_cert_flag = if *ssl_enabled {
-      " --unsafely-ignore-certificate-errors=localhost"
-    } else {
-      ""
-    };
+      let https_cert_flag = if *ssl_enabled {
+        " --unsafely-ignore-certificate-errors=localhost"
+      } else {
+        ""
+      };
 
-    let reload = if action.config.reload_deno_deps {
-      " --reload"
-    } else {
-      ""
-    };
+      let reload = if action.config.reload_deno_deps {
+        " --reload"
+      } else {
+        ""
+      };
 
-    let mut res = run_komodo_standard_command(
-      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
-      "Execute Action",
-      None,
-      format!(
-        "deno run --allow-all{https_cert_flag}{reload} {}",
-        path.display()
-      ),
-    )
+      let mut res = run_komodo_standard_command(
+        // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+        "Execute Action",
+        None,
+        format!(
+          "deno run --allow-all{https_cert_flag}{reload} {}",
+          path.display()
+        ),
+      )
+      .await;
+
+      res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+        .replace(&key, "<ACTION_API_KEY>");
+      res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+        .replace(&secret, "<ACTION_API_SECRET>");
+
+      cleanup_run(file + ".js", &path).await;
+
+      update.logs.push(res);
+      update.finalize();
+
+      mogh_error::Ok(update)
+    }
     .await;
 
-    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
-      .replace(&key, "<ACTION_API_KEY>");
-    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
-      .replace(&secret, "<ACTION_API_SECRET>");
-
-    cleanup_run(file + ".js", &path).await;
-
-    if let Err(e) = (DeleteApiKey { key })
-      .resolve(&UserArgs {
-        user: action_user().to_owned(),
-      })
-      .await
+    if let Err(e) =
+      delete_api_key(&KomodoAuthImpl, &action_user().id, key).await
     {
       warn!(
         "Failed to delete API key after action execution | {:#}",
@@ -208,8 +227,7 @@ impl Resolve<ExecuteArgs> for RunAction {
       );
     };
 
-    update.logs.push(res);
-    update.finalize();
+    let update = res?;
 
     // Need to manually update the update before cache refresh,
     // and before broadcast with update_update.
@@ -257,7 +275,7 @@ async fn interpolate(
   update: &mut Update,
   key: String,
   secret: String,
-) -> serror::Result<HashSet<(String, String)>> {
+) -> mogh_error::Result<HashSet<(String, String)>> {
   let VariablesAndSecrets {
     variables,
     mut secrets,

bin/core/src/api/execute/alerter.rs

@@ -12,9 +12,9 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{
   alert::send_alert_to_alerter, helpers::update::update_update,

bin/core/src/api/execute/build.rs

@@ -17,9 +17,12 @@ use formatting::format_serror;
 use futures_util::future::join_all;
 use interpolate::Interpolator;
 use komodo_client::{
-  api::execute::{
-    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
-    RunBuild,
+  api::{
+    execute::{
+      BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+      RunBuild,
+    },
+    write::RefreshBuildCache,
   },
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
@@ -34,13 +37,14 @@ use komodo_client::{
     user::auto_redeploy_user,
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
 use uuid::Uuid;
 
 use crate::{
   alert::send_alerts,
+  api::write::WriteArgs,
   helpers::{
     build_git_token,
     builder::{cleanup_builder_instance, connect_builder_periphery},
@@ -79,7 +83,7 @@ impl Resolve<ExecuteArgs> for BatchRunBuild {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchRunBuild>(&self.pattern, user)
         .await?,
@@ -101,7 +105,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let mut build = get_check_permissions::<Build>(
       &self.build,
       user,
@@ -186,7 +190,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
             update.finalize();
             let id = update.id.clone();
             if let Err(e) = update_update(update).await {
-              warn!("failed to modify Update {id} on db | {e:#}");
+              warn!("Failed to modify Update {id} on db | {e:#}");
             }
             if !is_server_builder {
               cancel_clone.cancel();
@@ -215,12 +219,12 @@ impl Resolve<ExecuteArgs> for RunBuild {
       Ok(builder) => builder,
       Err(e) => {
         warn!(
-          "failed to get builder for build {} | {e:#}",
+          "Failed to get Builder for Build {} | {e:#}",
           build.name
         );
         update.logs.push(Log::error(
-          "get builder",
-          format_serror(&e.context("failed to get builder").into()),
+          "Get Builder",
+          format_serror(&e.context("Failed to get Builder").into()),
         ));
         return handle_early_return(
           update, build.id, build.name, false,
@@ -276,7 +280,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
 
       let commit_message = match res {
         Ok(res) => {
-          debug!("finished repo clone");
+          debug!("Finished repo clone");
           update.logs.extend(res.res.logs);
           update.commit_hash =
             res.res.commit_hash.unwrap_or_default().to_string();
@@ -312,10 +316,10 @@ impl Resolve<ExecuteArgs> for RunBuild {
             commit_hash: optional_string(&update.commit_hash),
             // Unused for now
             additional_tags: Default::default(),
-          }) => res.context("failed at call to periphery to build"),
+          }) => res.context("Failed at call to Periphery to build"),
         _ = cancel.cancelled() => {
           info!("Build cancelled during build, cleaning up builder");
-          update.push_error_log("Build cancelled", String::from("user cancelled build during docker build"));
+          update.push_error_log("Build cancelled", String::from("User cancelled build during docker build"));
           cleanup_builder_instance(periphery, cleanup_data, &mut update)
             .await;
           return handle_early_return(update, build.id, build.name, true).await
@@ -328,10 +332,10 @@ impl Resolve<ExecuteArgs> for RunBuild {
           update.logs.extend(logs);
         }
         Err(e) => {
-          warn!("error in build | {e:#}");
+          warn!("Error in build | {e:#}");
           update.push_error_log(
             "Build Error",
-            format_serror(&e.context("failed to build").into()),
+            format_serror(&e.context("Failed to build").into()),
           )
         }
       };
@@ -382,12 +386,15 @@ impl Resolve<ExecuteArgs> for RunBuild {
 
     update_update(update.clone()).await?;
 
+    let Build { id, name, .. } = build;
+
     if update.success {
       // don't hold response up for user
       tokio::spawn(async move {
-        handle_post_build_redeploy(&build.id).await;
+        handle_post_build_redeploy(&id).await;
       });
     } else {
+      let name = name.clone();
       let target = update.target.clone();
       let version = update.version;
       tokio::spawn(async move {
@@ -398,16 +405,22 @@ impl Resolve<ExecuteArgs> for RunBuild {
           resolved_ts: Some(komodo_timestamp()),
           resolved: true,
           level: SeverityLevel::Warning,
-          data: AlertData::BuildFailed {
-            id: build.id,
-            name: build.name,
-            version,
-          },
+          data: AlertData::BuildFailed { id, name, version },
         };
         send_alerts(&[alert]).await
       });
     }
 
+    if let Err(e) = (RefreshBuildCache { build: name })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+    {
+      update.push_error_log(
+        "Refresh build cache",
+        format_serror(&e.error.into()),
+      );
+    }
+
     Ok(update.clone())
   }
 }
@@ -418,7 +431,7 @@ async fn handle_early_return(
   build_id: String,
   build_name: String,
   is_cancel: bool,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   update.finalize();
   // Need to manually update the update before cache refresh,
   // and before broadcast with add_update.
@@ -518,7 +531,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let build = get_check_permissions::<Build>(
       &self.build,
       user,
@@ -565,7 +578,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
       .await
       {
         warn!(
-          "failed to set CancelBuild Update status Complete after timeout | {e:#}"
+          "Failed to set CancelBuild Update status Complete after timeout | {e:#}"
         )
       }
     });
@@ -647,7 +660,7 @@ async fn validate_account_extract_registry_tokens(
     ..
   }: &Build,
   // Maps (domain, account) -> token
-) -> serror::Result<Vec<(String, String, String)>> {
+) -> mogh_error::Result<Vec<(String, String, String)>> {
   let mut res = HashMap::with_capacity(image_registry.capacity());
 
   for (domain, account) in image_registry

bin/core/src/api/execute/deployment.rs

@@ -1,37 +1,39 @@
 use std::sync::OnceLock;
 
 use anyhow::{Context, anyhow};
-use cache::TimeoutCache;
 use formatting::format_serror;
 use interpolate::Interpolator;
 use komodo_client::{
   api::execute::*,
   entities::{
-    Version,
+    SwarmOrServer, Version,
     build::{Build, ImageRegistryConfig},
     deployment::{
-      Deployment, DeploymentImage, extract_registry_domain,
+      Deployment, DeploymentImage, DeploymentInfo,
+      extract_registry_domain,
     },
     komodo_timestamp, optional_string,
     permission::PermissionLevel,
     server::Server,
     update::{Log, Update},
-    user::User,
   },
 };
+use mogh_cache::TimeoutCache;
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
+use reqwest::StatusCode;
 
 use crate::{
   helpers::{
     periphery_client,
     query::{VariablesAndSecrets, get_variables_and_secrets},
     registry_token,
+    swarm::swarm_request,
     update::update_update,
   },
-  monitor::update_cache_for_server,
-  permission::get_check_permissions,
-  resource,
+  monitor::{update_cache_for_server, update_cache_for_swarm},
+  resource::{self, setup_deployment_execution},
   state::action_states,
 };
 
@@ -61,7 +63,7 @@ impl Resolve<ExecuteArgs> for BatchDeploy {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeploy>(&self.pattern, user)
         .await?,
@@ -69,32 +71,6 @@ impl Resolve<ExecuteArgs> for BatchDeploy {
   }
 }
 
-#[instrument("SetupDeploy", skip_all)]
-async fn setup_deployment_execution(
-  deployment: &str,
-  user: &User,
-) -> anyhow::Result<(Deployment, Server)> {
-  let deployment = get_check_permissions::<Deployment>(
-    deployment,
-    user,
-    PermissionLevel::Execute.into(),
-  )
-  .await?;
-
-  if deployment.config.server_id.is_empty() {
-    return Err(anyhow!("Deployment has no Server configured"));
-  }
-
-  let server =
-    resource::get::<Server>(&deployment.config.server_id).await?;
-
-  if !server.config.enabled {
-    return Err(anyhow!("Attached Server is not enabled"));
-  }
-
-  Ok((deployment, server))
-}
-
 impl Resolve<ExecuteArgs> for Deploy {
   #[instrument(
     "Deploy",
@@ -111,9 +87,16 @@ impl Resolve<ExecuteArgs> for Deploy {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (mut deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (mut deployment, swarm_or_server) =
+      setup_deployment_execution(
+        &self.deployment,
+        user,
+        PermissionLevel::Execute.into(),
+      )
+      .await?;
+
+    swarm_or_server.verify_has_target()?;
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -128,7 +111,7 @@ impl Resolve<ExecuteArgs> for Deploy {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     // This block resolves the attached Build to an actual versioned image
@@ -223,27 +206,72 @@ impl Resolve<ExecuteArgs> for Deploy {
     update.version = version;
     update_update(update.clone()).await?;
 
-    match periphery_client(&server)
-      .await?
-      .request(api::container::Deploy {
-        deployment,
-        stop_signal: self.stop_signal,
-        stop_time: self.stop_time,
-        registry_token,
-        replacers: secret_replacers.into_iter().collect(),
-      })
-      .await
-    {
-      Ok(log) => update.logs.push(log),
-      Err(e) => {
-        update.push_error_log(
-          "Deploy Container",
-          format_serror(&e.into()),
-        );
-      }
-    };
+    let deployment_id = deployment.id.clone();
 
-    update_cache_for_server(&server, true).await;
+    match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        match swarm_request(
+          &swarm.config.server_ids,
+          api::swarm::CreateSwarmService {
+            deployment,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          },
+        )
+        .await
+        {
+          Ok(logs) => {
+            update_cache_for_swarm(&swarm, true).await;
+            update.logs.extend(logs)
+          }
+          Err(e) => {
+            update.push_error_log(
+              "Create Swarm Service",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+      SwarmOrServer::Server(server) => {
+        match periphery_client(&server)
+          .await?
+          .request(api::container::RunContainer {
+            deployment,
+            stop_signal: self.stop_signal,
+            stop_time: self.stop_time,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          })
+          .await
+        {
+          Ok(log) => {
+            update_cache_for_server(&server, true).await;
+            update.logs.push(log)
+          }
+          Err(e) => {
+            update.push_error_log(
+              "Deploy Container",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    if let Err(e) = resource::update_info::<Deployment>(
+      &deployment_id,
+      &DeploymentInfo {
+        latest_image_digest: Default::default(),
+      },
+    )
+    .await
+    {
+      warn!(
+        "Failed to update deployment {} info after deploy | {e:#}",
+        deployment_id
+      );
+    }
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -399,9 +427,20 @@ impl Resolve<ExecuteArgs> for PullDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("PullDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -415,7 +454,7 @@ impl Resolve<ExecuteArgs> for PullDeployment {
       action_state.update(|state| state.pulling = true)?;
 
     let mut update = update.clone();
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = pull_deployment_inner(deployment, &server).await?;
@@ -442,9 +481,20 @@ impl Resolve<ExecuteArgs> for StartDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("StartDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -459,7 +509,7 @@ impl Resolve<ExecuteArgs> for StartDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = match periphery_client(&server)
@@ -499,9 +549,20 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("RestartDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -516,7 +577,7 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = match periphery_client(&server)
@@ -558,9 +619,20 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("PauseDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -575,7 +647,7 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = match periphery_client(&server)
@@ -615,9 +687,20 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("UnpauseDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -632,7 +715,7 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = match periphery_client(&server)
@@ -676,9 +759,20 @@ impl Resolve<ExecuteArgs> for StopDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("StopDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -693,7 +787,7 @@ impl Resolve<ExecuteArgs> for StopDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let log = match periphery_client(&server)
@@ -751,7 +845,7 @@ impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDestroyDeployment>(
         &self.pattern,
@@ -778,9 +872,15 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    swarm_or_server.verify_has_target()?;
 
     // get the action state for the deployment (or insert default).
     let action_state = action_states()
@@ -795,34 +895,65 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
-    let log = match periphery_client(&server)
-      .await?
-      .request(api::container::RemoveContainer {
-        name: deployment.name,
-        signal: self
-          .signal
-          .unwrap_or(deployment.config.termination_signal)
-          .into(),
-        time: self
-          .time
-          .unwrap_or(deployment.config.termination_timeout)
-          .into(),
-      })
-      .await
-    {
-      Ok(log) => log,
-      Err(e) => Log::error(
-        "stop container",
-        format_serror(&e.context("failed to stop container").into()),
-      ),
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        match swarm_request(
+          &swarm.config.server_ids,
+          api::swarm::RemoveSwarmServices {
+            services: vec![deployment.name],
+          },
+        )
+        .await
+        {
+          Ok(log) => {
+            update_cache_for_swarm(&swarm, true).await;
+            log
+          }
+          Err(e) => Log::error(
+            "Remove Swarm Service",
+            format_serror(
+              &e.context("Failed to remove swarm service").into(),
+            ),
+          ),
+        }
+      }
+      SwarmOrServer::Server(server) => {
+        match periphery_client(&server)
+          .await?
+          .request(api::container::RemoveContainer {
+            name: deployment.name,
+            signal: self
+              .signal
+              .unwrap_or(deployment.config.termination_signal)
+              .into(),
+            time: self
+              .time
+              .unwrap_or(deployment.config.termination_timeout)
+              .into(),
+          })
+          .await
+        {
+          Ok(log) => {
+            update_cache_for_server(&server, true).await;
+            log
+          }
+          Err(e) => Log::error(
+            "Destroy Container",
+            format_serror(
+              &e.context("Failed to destroy container").into(),
+            ),
+          ),
+        }
+      }
     };
 
     update.logs.push(log);
     update.finalize();
-    update_cache_for_server(&server, true).await;
+
     update_update(update.clone()).await?;
 
     Ok(update)

bin/core/src/api/execute/maintenance.rs

@@ -14,22 +14,28 @@ use komodo_client::{
     RotateAllServerKeys, RotateCoreKeys,
   },
   entities::{
-    deployment::DeploymentState, server::ServerState,
+    SwarmOrServer, deployment::DeploymentState, server::ServerState,
     stack::StackState,
   },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use periphery_client::api;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 use tokio::sync::Mutex;
 
 use crate::{
-  api::execute::{
-    ExecuteArgs, pull_deployment_inner, pull_stack_inner,
+  api::{
+    execute::ExecuteArgs,
+    write::{
+      check_deployment_for_update_inner, check_stack_for_update_inner,
+    },
   },
   config::{core_config, core_keys},
-  helpers::{periphery_client, update::update_update},
+  helpers::{
+    periphery_client, query::find_swarm_or_server,
+    update::update_update,
+  },
   resource::rotate_server_keys,
   state::{
     db_client, deployment_status_cache, server_status_cache,
@@ -209,6 +215,9 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
     let servers = find_collect(&db_client().servers, None, None)
       .await
       .context("Failed to query for servers from database")?;
+    let swarms = find_collect(&db_client().swarms, None, None)
+      .await
+      .context("Failed to query for swarms from database")?;
 
     let query = doc! {
       "$or": [
@@ -217,11 +226,10 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
       ]
     };
 
-    let (stacks, repos) = tokio::try_join!(
-      find_collect(&db_client().stacks, query.clone(), None),
-      find_collect(&db_client().repos, None, None)
-    )
-    .context("Failed to query for resources from database")?;
+    let stacks =
+      find_collect(&db_client().stacks, query.clone(), None)
+        .await
+        .context("Failed to query for stacks from database")?;
 
     let server_status_cache = server_status_cache();
     let stack_status_cache = stack_status_cache();
@@ -234,10 +242,23 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
       else {
         continue;
       };
+
       // Only pull running stacks.
       if !matches!(status.curr.state, StackState::Running) {
         continue;
       }
+
+      let swarm_or_server = find_swarm_or_server(
+        &stack.config.swarm_id,
+        &swarms,
+        &stack.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
       if let Some(server) =
         servers.iter().find(|s| s.id == stack.config.server_id)
         // This check is probably redundant along with running check
@@ -248,39 +269,28 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
           .map(|s| matches!(s.state, ServerState::Ok))
           .unwrap_or_default()
       {
-        let name = stack.name.clone();
-        let repo = if stack.config.linked_repo.is_empty() {
-          None
-        } else {
-          let Some(repo) =
-            repos.iter().find(|r| r.id == stack.config.linked_repo)
-          else {
-            update.push_error_log(
-              &format!("Pull Stack {name}"),
-              format!(
-                "Did not find any Repo matching {}",
-                stack.config.linked_repo
-              ),
-            );
-            continue;
-          };
-          Some(repo.clone())
-        };
-        if let Err(e) =
-          pull_stack_inner(stack, Vec::new(), server, repo, None)
-            .await
+        if let Err(e) = check_stack_for_update_inner(
+          stack.id,
+          &swarm_or_server,
+          self.skip_auto_update,
+          true,
+          false,
+        )
+        .await
         {
           update.push_error_log(
-            &format!("Pull Stack {name}"),
+            &format!("Check Stack {}", stack.name),
             format_serror(&e.into()),
           );
         } else {
           if !update.logs[0].stdout.is_empty() {
             update.logs[0].stdout.push('\n');
           }
-          update.logs[0]
-            .stdout
-            .push_str(&format!("Pulled Stack {} ✅", bold(name)));
+
+          update.logs[0].stdout.push_str(&format!(
+            "Checked Stack {} ✅",
+            bold(&stack.name)
+          ));
         }
       }
     }
@@ -290,43 +300,51 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
       find_collect(&db_client().deployments, query, None)
         .await
         .context("Failed to query for deployments from database")?;
+
     for deployment in deployments {
       let Some(status) =
         deployment_status_cache.get(&deployment.id).await
       else {
         continue;
       };
+
       // Only pull running deployments.
       if !matches!(status.curr.state, DeploymentState::Running) {
         continue;
       }
-      if let Some(server) =
-        servers.iter().find(|s| s.id == deployment.config.server_id)
-        // This check is probably redundant along with running check
-        // but shouldn't hurt
-        && server_status_cache
-          .get(&server.id)
-          .await
-          .map(|s| matches!(s.state, ServerState::Ok))
-          .unwrap_or_default()
+
+      let swarm_or_server = find_swarm_or_server(
+        &deployment.config.swarm_id,
+        &swarms,
+        &deployment.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
+      let name = deployment.name.clone();
+
+      if let Err(e) = check_deployment_for_update_inner(
+        deployment,
+        &swarm_or_server,
+        self.skip_auto_update,
+        true,
+      )
+      .await
       {
-        let name = deployment.name.clone();
-        if let Err(e) =
-          pull_deployment_inner(deployment, server).await
-        {
-          update.push_error_log(
-            &format!("Pull Deployment {name}"),
-            format_serror(&e.into()),
-          );
-        } else {
-          if !update.logs[0].stdout.is_empty() {
-            update.logs[0].stdout.push('\n');
-          }
-          update.logs[0].stdout.push_str(&format!(
-            "Pulled Deployment {} ✅",
-            bold(name)
-          ));
+        update.push_error_log(
+          &format!("Check Deployment {name}"),
+          format_serror(&e.into()),
+        );
+      } else {
+        if !update.logs[0].stdout.is_empty() {
+          update.logs[0].stdout.push('\n');
         }
+        update.logs[0]
+          .stdout
+          .push_str(&format!("Checked Deployment {} ✅", bold(name)));
       }
     }
 
@@ -523,7 +541,10 @@ impl Resolve<ExecuteArgs> for RotateCoreKeys {
       );
     }
 
-    let public_key = core_keys.rotate().await?.into_inner();
+    let public_key = core_keys
+      .rotate(mogh_pki::PkiKind::Mutual)
+      .await?
+      .into_inner();
 
     info!("New Public Key: {public_key}");
 

bin/core/src/api/execute/mod.rs

@@ -6,7 +6,6 @@ use axum::{
 };
 use axum_extra::{TypedHeader, headers::ContentType};
 use database::mungos::by_id::find_one_by_id;
-use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
 use futures_util::future::join_all;
 use komodo_client::{
@@ -18,17 +17,18 @@ use komodo_client::{
     user::User,
   },
 };
-use resolver_api::Resolve;
-use response::JsonString;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_error::JsonString;
+use mogh_resolver::Resolve;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
-use strum::Display;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;
 
 use crate::{
-  auth::auth_request,
+  auth::KomodoAuthImpl,
   helpers::update::{init_execution_update, update_update},
   resource::{KomodoResource, list_full_for_user_using_pattern},
   state::db_client,
@@ -43,14 +43,11 @@ mod procedure;
 mod repo;
 mod server;
 mod stack;
+mod swarm;
 mod sync;
 
 use super::Variant;
 
-pub use {
-  deployment::pull_deployment_inner, stack::pull_stack_inner,
-};
-
 pub struct ExecuteArgs {
   /// The execution id.
   /// Unique for every /execute call.
@@ -61,37 +58,14 @@ pub struct ExecuteArgs {
 
 #[typeshare]
 #[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
 )]
-#[variant_derive(Debug, Display)]
+#[strum_discriminants(name(ExecuteRequestVariant), derive(Display))]
 #[args(ExecuteArgs)]
 #[response(JsonString)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum ExecuteRequest {
-  // ==== SERVER ====
-  StartContainer(StartContainer),
-  RestartContainer(RestartContainer),
-  PauseContainer(PauseContainer),
-  UnpauseContainer(UnpauseContainer),
-  StopContainer(StopContainer),
-  DestroyContainer(DestroyContainer),
-  StartAllContainers(StartAllContainers),
-  RestartAllContainers(RestartAllContainers),
-  PauseAllContainers(PauseAllContainers),
-  UnpauseAllContainers(UnpauseAllContainers),
-  StopAllContainers(StopAllContainers),
-  PruneContainers(PruneContainers),
-  DeleteNetwork(DeleteNetwork),
-  PruneNetworks(PruneNetworks),
-  DeleteImage(DeleteImage),
-  PruneImages(PruneImages),
-  DeleteVolume(DeleteVolume),
-  PruneVolumes(PruneVolumes),
-  PruneDockerBuilders(PruneDockerBuilders),
-  PruneBuildx(PruneBuildx),
-  PruneSystem(PruneSystem),
-
   // ==== STACK ====
   DeployStack(DeployStack),
   BatchDeployStack(BatchDeployStack),
@@ -142,12 +116,46 @@ pub enum ExecuteRequest {
   RunAction(RunAction),
   BatchRunAction(BatchRunAction),
 
+  // ==== SYNC ====
+  RunSync(RunSync),
+
   // ==== ALERTER ====
   TestAlerter(TestAlerter),
   SendAlert(SendAlert),
 
-  // ==== SYNC ====
-  RunSync(RunSync),
+  // ==== SERVER ====
+  StartContainer(StartContainer),
+  RestartContainer(RestartContainer),
+  PauseContainer(PauseContainer),
+  UnpauseContainer(UnpauseContainer),
+  StopContainer(StopContainer),
+  DestroyContainer(DestroyContainer),
+  StartAllContainers(StartAllContainers),
+  RestartAllContainers(RestartAllContainers),
+  PauseAllContainers(PauseAllContainers),
+  UnpauseAllContainers(UnpauseAllContainers),
+  StopAllContainers(StopAllContainers),
+  PruneContainers(PruneContainers),
+  DeleteNetwork(DeleteNetwork),
+  PruneNetworks(PruneNetworks),
+  DeleteImage(DeleteImage),
+  PruneImages(PruneImages),
+  DeleteVolume(DeleteVolume),
+  PruneVolumes(PruneVolumes),
+  PruneDockerBuilders(PruneDockerBuilders),
+  PruneBuildx(PruneBuildx),
+  PruneSystem(PruneSystem),
+
+  // ==== SWARM ====
+  RemoveSwarmNodes(RemoveSwarmNodes),
+  RemoveSwarmStacks(RemoveSwarmStacks),
+  RemoveSwarmServices(RemoveSwarmServices),
+  CreateSwarmConfig(CreateSwarmConfig),
+  RotateSwarmConfig(RotateSwarmConfig),
+  RemoveSwarmConfigs(RemoveSwarmConfigs),
+  CreateSwarmSecret(CreateSwarmSecret),
+  RotateSwarmSecret(RotateSwarmSecret),
+  RemoveSwarmSecrets(RemoveSwarmSecrets),
 
   // ==== MAINTENANCE ====
   ClearRepoCache(ClearRepoCache),
@@ -161,14 +169,16 @@ pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
     .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }
 
 async fn variant_handler(
   user: Extension<User>,
   Path(Variant { variant }): Path<Variant>,
   Json(params): Json<serde_json::Value>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
   let req: ExecuteRequest = serde_json::from_value(json!({
     "type": variant,
     "params": params,
@@ -179,7 +189,7 @@ async fn variant_handler(
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ExecuteRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
   let res = match inner_handler(request, user).await? {
     ExecutionResult::Single(update) => serde_json::to_string(&update)
       .context("Failed to serialize Update")?,
@@ -257,8 +267,8 @@ pub fn inner_handler(
           let mut update =
             find_one_by_id(&db_client().updates, &update_id)
               .await
-              .context("failed to query to db")?
-              .context("no update exists with given id")?;
+              .context("Failed to query to db")?
+              .context("No update exists with given id")?;
           update.logs.push(log);
           update.finalize();
           update_update(update).await
@@ -267,7 +277,7 @@ pub fn inner_handler(
 
         if let Err(e) = res {
           warn!(
-            "failed to update update with task error log | {e:#}"
+            "Failed to update update with task error log | {e:#}"
           );
         }
       }
@@ -283,11 +293,11 @@ async fn task(
   user: User,
   update: Update,
 ) -> anyhow::Result<String> {
-  let variant = request.extract_variant();
+  let variant: ExecuteRequestVariant = (&request).into();
 
   info!(
-    "/execute request {id} | {variant} | user: {}",
-    user.username
+    "EXECUTE REQUEST {id} | METHOD: {variant} | USER: {} ({})",
+    user.username, user.id
   );
 
   let res =
@@ -301,7 +311,7 @@ async fn task(
     };
 
   if let Err(e) = &res {
-    warn!("/execute request {id} error: {e:#}");
+    warn!("EXECUTE REQUEST {id} | METHOD: {variant} | ERROR: {e:#}");
   }
 
   res

bin/core/src/api/execute/procedure.rs

@@ -17,7 +17,7 @@ use komodo_client::{
     user::User,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use tokio::sync::Mutex;
 
 use crate::{
@@ -46,7 +46,7 @@ impl Resolve<ExecuteArgs> for BatchRunProcedure {
   async fn resolve(
     self,
     ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchRunProcedure>(&self.pattern, user)
         .await?,
@@ -68,7 +68,7 @@ impl Resolve<ExecuteArgs> for RunProcedure {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(
       resolve_inner(self.procedure, user.clone(), update.clone())
         .await?,

bin/core/src/api/execute/repo.rs

@@ -22,8 +22,8 @@ use komodo_client::{
     update::{Log, Update},
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
 
 use crate::{
@@ -63,7 +63,7 @@ impl Resolve<ExecuteArgs> for BatchCloneRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
         .await?,
@@ -85,7 +85,7 @@ impl Resolve<ExecuteArgs> for CloneRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
@@ -194,7 +194,7 @@ impl Resolve<ExecuteArgs> for BatchPullRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchPullRepo>(&self.pattern, user)
         .await?,
@@ -216,7 +216,7 @@ impl Resolve<ExecuteArgs> for PullRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
@@ -316,7 +316,7 @@ impl Resolve<ExecuteArgs> for PullRepo {
 )]
 async fn handle_repo_update_return(
   update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   // Need to manually update the update before cache refresh,
   // and before broadcast with add_update.
   // The Err case of to_document should be unreachable,
@@ -371,7 +371,7 @@ impl Resolve<ExecuteArgs> for BatchBuildRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
         .await?,
@@ -393,7 +393,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let mut repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
@@ -614,7 +614,7 @@ async fn handle_builder_early_return(
   repo_id: String,
   repo_name: String,
   is_cancel: bool,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   update.finalize();
   // Need to manually update the update before cache refresh,
   // and before broadcast with add_update.
@@ -714,7 +714,7 @@ impl Resolve<ExecuteArgs> for CancelRepoBuild {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,

bin/core/src/api/execute/server.rs

@@ -9,8 +9,8 @@ use komodo_client::{
     update::{Log, Update},
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 
 use crate::{
   helpers::{periphery_client, update::update_update},
@@ -36,7 +36,7 @@ impl Resolve<ExecuteArgs> for StartContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -57,7 +57,7 @@ impl Resolve<ExecuteArgs> for StartContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -70,8 +70,8 @@ impl Resolve<ExecuteArgs> for StartContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "start container",
-        format_serror(&e.context("failed to start container").into()),
+        "Start Container",
+        format_serror(&e.context("Failed to start container").into()),
       ),
     };
 
@@ -100,7 +100,7 @@ impl Resolve<ExecuteArgs> for RestartContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -121,7 +121,7 @@ impl Resolve<ExecuteArgs> for RestartContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -134,9 +134,9 @@ impl Resolve<ExecuteArgs> for RestartContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "restart container",
+        "Restart Container",
         format_serror(
-          &e.context("failed to restart container").into(),
+          &e.context("Failed to restart container").into(),
         ),
       ),
     };
@@ -166,7 +166,7 @@ impl Resolve<ExecuteArgs> for PauseContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -187,7 +187,7 @@ impl Resolve<ExecuteArgs> for PauseContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -200,8 +200,8 @@ impl Resolve<ExecuteArgs> for PauseContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "pause container",
-        format_serror(&e.context("failed to pause container").into()),
+        "Pause Container",
+        format_serror(&e.context("Failed to pause container").into()),
       ),
     };
 
@@ -230,7 +230,7 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -251,7 +251,7 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -264,9 +264,9 @@ impl Resolve<ExecuteArgs> for UnpauseContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "unpause container",
+        "Unpause Container",
         format_serror(
-          &e.context("failed to unpause container").into(),
+          &e.context("Failed to unpause container").into(),
         ),
       ),
     };
@@ -298,7 +298,7 @@ impl Resolve<ExecuteArgs> for StopContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -319,7 +319,7 @@ impl Resolve<ExecuteArgs> for StopContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -334,8 +334,8 @@ impl Resolve<ExecuteArgs> for StopContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "stop container",
-        format_serror(&e.context("failed to stop container").into()),
+        "Stop Container",
+        format_serror(&e.context("Failed to stop container").into()),
       ),
     };
 
@@ -366,7 +366,7 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let DestroyContainer {
       server,
       container,
@@ -393,7 +393,7 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
 
     let mut update = update.clone();
 
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
     update_update(update.clone()).await?;
 
     let periphery = periphery_client(&server).await?;
@@ -408,8 +408,10 @@ impl Resolve<ExecuteArgs> for DestroyContainer {
     {
       Ok(log) => log,
       Err(e) => Log::error(
-        "stop container",
-        format_serror(&e.context("failed to stop container").into()),
+        "Remove Container",
+        format_serror(
+          &e.context("Failed to remove container").into(),
+        ),
       ),
     };
 
@@ -437,7 +439,7 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -464,13 +466,13 @@ impl Resolve<ExecuteArgs> for StartAllContainers {
       .await?
       .request(api::container::StartAllContainers {})
       .await
-      .context("failed to start all containers on host")?;
+      .context("Failed to start all containers on host")?;
 
     update.logs.extend(logs);
 
     if all_logs_success(&update.logs) {
       update.push_simple_log(
-        "start all containers",
+        "Start All Containers",
         String::from("All containers have been started on the host."),
       );
     }
@@ -497,7 +499,7 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -524,13 +526,13 @@ impl Resolve<ExecuteArgs> for RestartAllContainers {
       .await?
       .request(api::container::RestartAllContainers {})
       .await
-      .context("failed to restart all containers on host")?;
+      .context("Failed to restart all containers on host")?;
 
     update.logs.extend(logs);
 
     if all_logs_success(&update.logs) {
       update.push_simple_log(
-        "restart all containers",
+        "Restart All Containers",
         String::from(
           "All containers have been restarted on the host.",
         ),
@@ -559,7 +561,7 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -586,13 +588,13 @@ impl Resolve<ExecuteArgs> for PauseAllContainers {
       .await?
       .request(api::container::PauseAllContainers {})
       .await
-      .context("failed to pause all containers on host")?;
+      .context("Failed to pause all containers on host")?;
 
     update.logs.extend(logs);
 
     if all_logs_success(&update.logs) {
       update.push_simple_log(
-        "pause all containers",
+        "Pause All Containers",
         String::from("All containers have been paused on the host."),
       );
     }
@@ -619,7 +621,7 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -646,13 +648,13 @@ impl Resolve<ExecuteArgs> for UnpauseAllContainers {
       .await?
       .request(api::container::UnpauseAllContainers {})
       .await
-      .context("failed to unpause all containers on host")?;
+      .context("Failed to unpause all containers on host")?;
 
     update.logs.extend(logs);
 
     if all_logs_success(&update.logs) {
       update.push_simple_log(
-        "unpause all containers",
+        "Unpause All Containers",
         String::from(
           "All containers have been unpaused on the host.",
         ),
@@ -681,7 +683,7 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -708,13 +710,13 @@ impl Resolve<ExecuteArgs> for StopAllContainers {
       .await?
       .request(api::container::StopAllContainers {})
       .await
-      .context("failed to stop all containers on host")?;
+      .context("Failed to stop all containers on host")?;
 
     update.logs.extend(logs);
 
     if all_logs_success(&update.logs) {
       update.push_simple_log(
-        "stop all containers",
+        "Stop All Containers",
         String::from("All containers have been stopped on the host."),
       );
     }
@@ -741,7 +743,7 @@ impl Resolve<ExecuteArgs> for PruneContainers {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -770,14 +772,14 @@ impl Resolve<ExecuteArgs> for PruneContainers {
       .request(api::container::PruneContainers {})
       .await
       .context(format!(
-        "failed to prune containers on server {}",
+        "Failed to prune containers on server {}",
         server.name
       )) {
       Ok(log) => log,
       Err(e) => Log::error(
-        "prune containers",
+        "Prune Containers",
         format_serror(
-          &e.context("failed to prune containers").into(),
+          &e.context("Failed to prune containers").into(),
         ),
       ),
     };
@@ -807,7 +809,7 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -827,15 +829,15 @@ impl Resolve<ExecuteArgs> for DeleteNetwork {
       })
       .await
       .context(format!(
-        "failed to delete network {} on server {}",
+        "Failed to delete network {} on server {}",
         self.name, server.name
       )) {
       Ok(log) => log,
       Err(e) => Log::error(
-        "delete network",
+        "Delete Network",
         format_serror(
           &e.context(format!(
-            "failed to delete network {}",
+            "Failed to delete network {}",
             self.name
           ))
           .into(),
@@ -867,7 +869,7 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -896,13 +898,13 @@ impl Resolve<ExecuteArgs> for PruneNetworks {
       .request(api::docker::PruneNetworks {})
       .await
       .context(format!(
-        "failed to prune networks on server {}",
+        "Failed to prune networks on server {}",
         server.name
       )) {
       Ok(log) => log,
       Err(e) => Log::error(
-        "prune networks",
-        format_serror(&e.context("failed to prune networks").into()),
+        "Prune Networks",
+        format_serror(&e.context("Failed to prune networks").into()),
       ),
     };
 
@@ -931,7 +933,7 @@ impl Resolve<ExecuteArgs> for DeleteImage {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -951,14 +953,14 @@ impl Resolve<ExecuteArgs> for DeleteImage {
       })
       .await
       .context(format!(
-        "failed to delete image {} on server {}",
+        "Failed to delete image {} on server {}",
         self.name, server.name
       )) {
       Ok(log) => log,
       Err(e) => Log::error(
         "delete image",
         format_serror(
-          &e.context(format!("failed to delete image {}", self.name))
+          &e.context(format!("Failed to delete image {}", self.name))
             .into(),
         ),
       ),
@@ -988,7 +990,7 @@ impl Resolve<ExecuteArgs> for PruneImages {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1017,9 +1019,9 @@ impl Resolve<ExecuteArgs> for PruneImages {
       match periphery.request(api::docker::PruneImages {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
-          "prune images",
+          "Prune Images",
           format!(
-            "failed to prune images on server {} | {e:#?}",
+            "Failed to prune images on server {} | {e:#?}",
             server.name
           ),
         ),
@@ -1050,7 +1052,7 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1070,7 +1072,7 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
       })
       .await
       .context(format!(
-        "failed to delete volume {} on server {}",
+        "Failed to delete volume {} on server {}",
         self.name, server.name
       )) {
       Ok(log) => log,
@@ -1078,7 +1080,7 @@ impl Resolve<ExecuteArgs> for DeleteVolume {
         "delete volume",
         format_serror(
           &e.context(format!(
-            "failed to delete volume {}",
+            "Failed to delete volume {}",
             self.name
           ))
           .into(),
@@ -1110,7 +1112,7 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1139,9 +1141,9 @@ impl Resolve<ExecuteArgs> for PruneVolumes {
       match periphery.request(api::docker::PruneVolumes {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
-          "prune volumes",
+          "Prune Volumes",
           format!(
-            "failed to prune volumes on server {} | {e:#?}",
+            "Failed to prune volumes on server {} | {e:#?}",
             server.name
           ),
         ),
@@ -1171,7 +1173,7 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1200,9 +1202,9 @@ impl Resolve<ExecuteArgs> for PruneDockerBuilders {
       match periphery.request(api::build::PruneBuilders {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
-          "prune builders",
+          "Prune Builders",
           format!(
-            "failed to docker builder prune on server {} | {e:#?}",
+            "Failed to docker builder prune on server {} | {e:#?}",
             server.name
           ),
         ),
@@ -1232,7 +1234,7 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1261,9 +1263,9 @@ impl Resolve<ExecuteArgs> for PruneBuildx {
       match periphery.request(api::build::PruneBuildx {}).await {
         Ok(log) => log,
         Err(e) => Log::error(
-          "prune buildx",
+          "Prune Buildx",
           format!(
-            "failed to docker buildx prune on server {} | {e:#?}",
+            "Failed to docker buildx prune on server {} | {e:#?}",
             server.name
           ),
         ),
@@ -1293,7 +1295,7 @@ impl Resolve<ExecuteArgs> for PruneSystem {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -1321,9 +1323,9 @@ impl Resolve<ExecuteArgs> for PruneSystem {
     let log = match periphery.request(api::PruneSystem {}).await {
       Ok(log) => log,
       Err(e) => Log::error(
-        "prune system",
+        "Prune System",
         format!(
-          "failed to docker system prune on server {} | {e:#?}",
+          "Failed to docker system prune on server {} | {e:#?}",
           server.name
         ),
       ),

bin/core/src/api/execute/stack.rs

@@ -1,6 +1,6 @@
 use std::{collections::HashSet, str::FromStr};
 
-use anyhow::Context;
+use anyhow::{Context, anyhow};
 use database::mungos::mongodb::bson::{
   doc, oid::ObjectId, to_bson, to_document,
 };
@@ -9,7 +9,7 @@ use interpolate::Interpolator;
 use komodo_client::{
   api::{execute::*, write::RefreshStackCache},
   entities::{
-    FileContents,
+    FileContents, SwarmOrServer,
     permission::PermissionLevel,
     repo::Repo,
     server::Server,
@@ -20,8 +20,12 @@ use komodo_client::{
     user::User,
   },
 };
-use periphery_client::api::compose::*;
-use resolver_api::Resolve;
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
+use periphery_client::api::{
+  DeployStackResponse, compose::*, swarm::DeploySwarmStack,
+};
+use reqwest::StatusCode;
 use uuid::Uuid;
 
 use crate::{
@@ -30,14 +34,20 @@ use crate::{
     periphery_client,
     query::{VariablesAndSecrets, get_variables_and_secrets},
     stack_git_token,
+    swarm::swarm_request,
     update::{
       add_update_without_send, init_execution_update, update_update,
     },
   },
-  monitor::update_cache_for_server,
+  monitor::{update_cache_for_server, update_cache_for_swarm},
   permission::get_check_permissions,
   resource,
-  stack::{execute::execute_compose, get_stack_and_server},
+  stack::{
+    execute::{
+      execute_compose, execute_compose_with_stack_and_server,
+    },
+    setup_stack_execution,
+  },
   state::{action_states, db_client},
 };
 
@@ -67,7 +77,7 @@ impl Resolve<ExecuteArgs> for BatchDeployStack {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeployStack>(&self.pattern, user)
         .await?,
@@ -91,15 +101,16 @@ impl Resolve<ExecuteArgs> for DeployStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (mut stack, server) = get_stack_and_server(
+  ) -> mogh_error::Result<Update> {
+    let (mut stack, swarm_or_server) = setup_stack_execution(
       &self.stack,
       user,
       PermissionLevel::Execute.into(),
-      true,
     )
     .await?;
 
+    swarm_or_server.verify_has_target()?;
+
     let mut repo = if !stack.config.files_on_host
       && !stack.config.linked_repo.is_empty()
     {
@@ -165,27 +176,45 @@ impl Resolve<ExecuteArgs> for DeployStack {
       Default::default()
     };
 
-    let ComposeUpResponse {
+    let DeployStackResponse {
       logs,
       deployed,
       services,
       file_contents,
       missing_files,
       remote_errors,
-      compose_config,
+      merged_config,
       commit_hash,
       commit_message,
-    } = periphery_client(&server)
-      .await?
-      .request(ComposeUp {
-        stack: stack.clone(),
-        services: self.services,
-        repo,
-        git_token,
-        registry_token,
-        replacers: secret_replacers.into_iter().collect(),
-      })
-      .await?;
+    } = match &swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        swarm_request(
+          &swarm.config.server_ids,
+          DeploySwarmStack {
+            stack: stack.clone(),
+            repo,
+            git_token,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          },
+        )
+        .await?
+      }
+      SwarmOrServer::Server(server) => {
+        periphery_client(server)
+          .await?
+          .request(ComposeUp {
+            stack: stack.clone(),
+            services: self.services,
+            repo,
+            git_token,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          })
+          .await?
+      }
+    };
 
     update.logs.extend(logs);
 
@@ -219,7 +248,7 @@ impl Resolve<ExecuteArgs> for DeployStack {
               })
               .collect(),
           ),
-          compose_config,
+          merged_config,
           commit_hash.clone(),
           commit_message.clone(),
         )
@@ -257,7 +286,7 @@ impl Resolve<ExecuteArgs> for DeployStack {
       };
 
       let info = to_document(&info)
-        .context("failed to serialize stack info to bson")?;
+        .context("Failed to serialize stack info to bson")?;
 
       db_client()
         .stacks
@@ -266,22 +295,30 @@ impl Resolve<ExecuteArgs> for DeployStack {
           doc! { "$set": { "info": info } },
         )
         .await
-        .context("failed to update stack info on db")?;
+        .context("Failed to update stack info on db")?;
       anyhow::Ok(())
     };
 
     // This will be weird with single service deploys. Come back to it.
     if let Err(e) = update_info.await {
       update.push_error_log(
-        "refresh stack info",
+        "Refresh Stack Info",
         format_serror(
-          &e.context("failed to refresh stack info on db").into(),
+          &e.context("Failed to refresh stack info on db").into(),
         ),
       )
     }
 
     // Ensure cached stack state up to date by updating server cache
-    update_cache_for_server(&server, true).await;
+    match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      SwarmOrServer::Server(server) => {
+        update_cache_for_server(&server, true).await;
+      }
+    }
 
     update.finalize();
     update_update(update.clone()).await?;
@@ -313,7 +350,7 @@ impl Resolve<ExecuteArgs> for BatchDeployStackIfChanged {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchDeployStackIfChanged>(
         &self.pattern,
@@ -339,7 +376,7 @@ impl Resolve<ExecuteArgs> for DeployStackIfChanged {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
@@ -518,7 +555,7 @@ async fn deploy_services(
   stack: String,
   services: Vec<String>,
   user: &User,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   // The existing update is initialized to DeployStack,
   // but also has not been created on database.
   // Setup a new update here.
@@ -552,7 +589,7 @@ async fn restart_services(
   stack: String,
   services: Vec<String>,
   user: &User,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   // The existing update is initialized to DeployStack,
   // but also has not been created on database.
   // Setup a new update here.
@@ -737,7 +774,7 @@ impl Resolve<ExecuteArgs> for BatchPullStack {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     Ok(
       super::batch_execute::<BatchPullStack>(&self.pattern, user)
         .await?,
@@ -861,15 +898,23 @@ impl Resolve<ExecuteArgs> for PullStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (stack, server) = get_stack_and_server(
+  ) -> mogh_error::Result<Update> {
+    let (stack, swarm_or_server) = setup_stack_execution(
       &self.stack,
       user,
       PermissionLevel::Execute.into(),
-      true,
     )
     .await?;
 
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "PullStack should not be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
     let repo = if !stack.config.files_on_host
       && !stack.config.linked_repo.is_empty()
     {
@@ -924,7 +969,7 @@ impl Resolve<ExecuteArgs> for StartStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     execute_compose::<StartStack>(
       &self.stack,
       self.services,
@@ -953,7 +998,7 @@ impl Resolve<ExecuteArgs> for RestartStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     execute_compose::<RestartStack>(
       &self.stack,
       self.services,
@@ -984,7 +1029,7 @@ impl Resolve<ExecuteArgs> for PauseStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     execute_compose::<PauseStack>(
       &self.stack,
       self.services,
@@ -1013,7 +1058,7 @@ impl Resolve<ExecuteArgs> for UnpauseStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     execute_compose::<UnpauseStack>(
       &self.stack,
       self.services,
@@ -1042,7 +1087,7 @@ impl Resolve<ExecuteArgs> for StopStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     execute_compose::<StopStack>(
       &self.stack,
       self.services,
@@ -1081,7 +1126,7 @@ impl Resolve<ExecuteArgs> for BatchDestroyStack {
   async fn resolve(
     self,
     ExecuteArgs { user, id, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
     super::batch_execute::<BatchDestroyStack>(&self.pattern, user)
       .await
       .map_err(Into::into)
@@ -1105,17 +1150,81 @@ impl Resolve<ExecuteArgs> for DestroyStack {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    execute_compose::<DestroyStack>(
+  ) -> mogh_error::Result<Update> {
+    let (stack, swarm_or_server) = setup_stack_execution(
       &self.stack,
-      self.services,
       user,
-      |state| state.destroying = true,
-      update.clone(),
-      (self.stop_time, self.remove_orphans),
+      PermissionLevel::Execute.into(),
     )
-    .await
-    .map_err(Into::into)
+    .await?;
+
+    swarm_or_server.verify_has_target()?;
+
+    match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        if !self.services.is_empty() {
+          return Err(
+            anyhow!("Cannot destroy specific Stack services when in Swarm mode.")
+              .status_code(StatusCode::BAD_REQUEST)
+          );
+        }
+
+        // get the action state for the stack (or insert default).
+        let action_state = action_states()
+          .stack
+          .get_or_insert_default(&stack.id)
+          .await;
+
+        // Will check to ensure stack not already busy before updating, and return Err if so.
+        // The returned guard will set the action state back to default when dropped.
+        let _action_guard =
+          action_state.update(|state| state.destroying = true)?;
+
+        let mut update = update.clone();
+        // Send update here for UI to recheck action state
+        update_update(update.clone()).await?;
+
+        match swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::RemoveSwarmStacks {
+            stacks: vec![stack.project_name(false)],
+            detach: false,
+          },
+        )
+        .await
+        {
+          Ok(log) => update.logs.push(log),
+          Err(e) => update.push_error_log(
+            "Destroy Stack",
+            format_serror(
+              &e.context("Failed to 'docker stack rm' on swarm")
+                .into(),
+            ),
+          ),
+        }
+
+        // Ensure cached stack state up to date by updating swarm cache
+        update_cache_for_swarm(&swarm, true).await;
+
+        update.finalize();
+        update_update(update.clone()).await?;
+
+        Ok(update)
+      }
+      SwarmOrServer::Server(server) => {
+        execute_compose_with_stack_and_server::<DestroyStack>(
+          stack,
+          server,
+          self.services,
+          |state| state.destroying = true,
+          update.clone(),
+          (self.stop_time, self.remove_orphans),
+        )
+        .await
+        .map_err(Into::into)
+      }
+    }
   }
 }
 
@@ -1135,15 +1244,23 @@ impl Resolve<ExecuteArgs> for RunStackService {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (mut stack, server) = get_stack_and_server(
+  ) -> mogh_error::Result<Update> {
+    let (mut stack, swarm_or_server) = setup_stack_execution(
       &self.stack,
       user,
       PermissionLevel::Execute.into(),
-      true,
     )
     .await?;
 
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "RunStackService should not be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
     let mut repo = if !stack.config.files_on_host
       && !stack.config.linked_repo.is_empty()
     {

bin/core/src/api/execute/swarm.rs

@@ -0,0 +1,516 @@
+use formatting::format_serror;
+use komodo_client::{
+  api::execute::{
+    CreateSwarmConfig, CreateSwarmSecret, RemoveSwarmConfigs,
+    RemoveSwarmNodes, RemoveSwarmSecrets, RemoveSwarmServices,
+    RemoveSwarmStacks, RotateSwarmConfig, RotateSwarmSecret,
+  },
+  entities::{permission::PermissionLevel, swarm::Swarm},
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  api::execute::ExecuteArgs,
+  helpers::{swarm::swarm_request, update::update_update},
+  monitor::update_cache_for_swarm,
+  permission::get_check_permissions,
+};
+
+impl Resolve<ExecuteArgs> for RemoveSwarmNodes {
+  #[instrument(
+    "RemoveSwarmNodes",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      nodes = serde_json::to_string(&self.nodes).unwrap_or_else(|e| e.to_string()),
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmNodes {
+        nodes: self.nodes,
+        force: self.force,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Nodes",
+        format_serror(
+          &e.context("Failed to remove swarm nodes").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmStacks {
+  #[instrument(
+    "RemoveSwarmStacks",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      stacks = serde_json::to_string(&self.stacks).unwrap_or_else(|e| e.to_string()),
+      detach = self.detach,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmStacks {
+        stacks: self.stacks,
+        detach: self.detach,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Stacks",
+        format_serror(
+          &e.context("Failed to remove swarm stacks").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmServices {
+  #[instrument(
+    "RemoveSwarmServices",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      services = serde_json::to_string(&self.services).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmServices {
+        services: self.services,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Services",
+        format_serror(
+          &e.context("Failed to remove swarm services").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmConfig {
+  #[instrument(
+    "CreateSwarmConfig",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmConfig {
+        name: self.name,
+        data: self.data,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Config",
+        format_serror(
+          &e.context("Failed to create swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmConfig {
+  #[instrument(
+    "RotateSwarmConfig",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.config,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmConfig {
+        config: self.config,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Config",
+        format_serror(
+          &e.context("Failed to rotate swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmConfigs {
+  #[instrument(
+    "RemoveSwarmConfigs",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      configs = serde_json::to_string(&self.configs).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmConfigs {
+        configs: self.configs,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Configs",
+        format_serror(
+          &e.context("Failed to remove swarm configs").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmSecret {
+  #[instrument(
+    "CreateSwarmSecret",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmSecret {
+        name: self.name,
+        data: self.data,
+        driver: self.driver,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Secret",
+        format_serror(
+          &e.context("Failed to create swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmSecret {
+  #[instrument(
+    "RotateSwarmSecret",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.secret,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmSecret {
+        secret: self.secret,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Secret",
+        format_serror(
+          &e.context("Failed to rotate swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmSecrets {
+  #[instrument(
+    "RemoveSwarmSecrets",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secrets = serde_json::to_string(&self.secrets).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmSecrets {
+        secrets: self.secrets,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Secrets",
+        format_serror(
+          &e.context("Failed to remove swarm secrets").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}

bin/core/src/api/execute/sync.rs

@@ -26,7 +26,7 @@ use komodo_client::{
     user::sync_user,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   api::write::WriteArgs,
@@ -64,7 +64,7 @@ impl Resolve<ExecuteArgs> for RunSync {
   async fn resolve(
     self,
     ExecuteArgs { user, update, id }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let RunSync {
       sync,
       resource_type: match_resource_type,
@@ -136,34 +136,10 @@ impl Resolve<ExecuteArgs> for RunSync {
           };
           match ObjectId::from_str(&name_or_id) {
             Ok(_) => match resource_type {
-              ResourceTargetVariant::Alerter => all_resources
-                .alerters
+              ResourceTargetVariant::Swarm => all_resources
+                .swarms
                 .get(&name_or_id)
-                .map(|a| a.name.clone()),
-              ResourceTargetVariant::Build => all_resources
-                .builds
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Builder => all_resources
-                .builders
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Deployment => all_resources
-                .deployments
-                .get(&name_or_id)
-                .map(|d| d.name.clone()),
-              ResourceTargetVariant::Procedure => all_resources
-                .procedures
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Action => all_resources
-                .actions
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Repo => all_resources
-                .repos
-                .get(&name_or_id)
-                .map(|r| r.name.clone()),
+                .map(|s| s.name.clone()),
               ResourceTargetVariant::Server => all_resources
                 .servers
                 .get(&name_or_id)
@@ -172,10 +148,38 @@ impl Resolve<ExecuteArgs> for RunSync {
                 .stacks
                 .get(&name_or_id)
                 .map(|s| s.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
               ResourceTargetVariant::ResourceSync => all_resources
                 .syncs
                 .get(&name_or_id)
                 .map(|s| s.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
               ResourceTargetVariant::System => None,
             },
             Err(_) => Some(name_or_id),

bin/core/src/api/listener/integrations/github.rs

@@ -5,10 +5,9 @@ use hmac::{Hmac, Mac};
 use serde::Deserialize;
 use sha2::Sha256;
 
-use crate::{
-  config::core_config,
-  listener::{ExtractBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
 
 type HmacSha256 = Hmac<Sha256>;
 
@@ -18,7 +17,7 @@ pub struct Github;
 impl VerifySecret for Github {
   #[instrument("VerifyGithubSecret", skip_all)]
   fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
     body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()> {

bin/core/src/api/listener/integrations/gitlab.rs

@@ -1,10 +1,10 @@
 use anyhow::{Context, anyhow};
+use axum::http::HeaderMap;
 use serde::Deserialize;
 
-use crate::{
-  config::core_config,
-  listener::{ExtractBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
 
 /// Listener implementation for Gitlab type API
 pub struct Gitlab;
@@ -12,7 +12,7 @@ pub struct Gitlab;
 impl VerifySecret for Gitlab {
   #[instrument("VerifyGitlabSecret", skip_all)]
   fn verify_secret(
-    headers: axum::http::HeaderMap,
+    headers: &HeaderMap,
     _body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()> {

bin/core/src/api/listener/integrations/mod.rs

@@ -0,0 +1,4 @@
+pub mod github;
+pub mod gitlab;
+
+use super::{ExtractBranch, VerifySecret};

bin/core/src/api/listener/mod.rs

@@ -2,8 +2,8 @@ use std::sync::Arc;
 
 use anyhow::anyhow;
 use axum::{Router, http::HeaderMap};
-use cache::CloneCache;
 use komodo_client::entities::resource::Resource;
+use mogh_cache::CloneCache;
 use tokio::sync::Mutex;
 
 use crate::resource::KomodoResource;
@@ -32,7 +32,7 @@ trait CustomSecret: KomodoResource {
 /// Implemented on the integration struct, eg [integrations::github::Github]
 trait VerifySecret {
   fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
     body: &str,
     custom_secret: &str,
   ) -> anyhow::Result<()>;

bin/core/src/api/listener/resources.rs

@@ -11,7 +11,7 @@ use komodo_client::{
     stack::Stack, sync::ResourceSync, user::git_webhook_user,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use serde::Deserialize;
 use serde_json::json;
 use uuid::Uuid;
@@ -241,11 +241,11 @@ fn stack_locks() -> &'static ListenerLockCache {
 }
 
 pub trait StackExecution {
-  async fn resolve(stack: Stack) -> serror::Result<()>;
+  async fn resolve(stack: Stack) -> mogh_error::Result<()>;
 }
 
 impl StackExecution for RefreshStackCache {
-  async fn resolve(stack: Stack) -> serror::Result<()> {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
     RefreshStackCache { stack: stack.id }
       .resolve(&WriteArgs {
         user: git_webhook_user().to_owned(),
@@ -256,7 +256,7 @@ impl StackExecution for RefreshStackCache {
 }
 
 impl StackExecution for DeployStack {
-  async fn resolve(stack: Stack) -> serror::Result<()> {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
     let user = git_webhook_user().to_owned();
     if stack.config.webhook_force_deploy {
       let req = ExecuteRequest::DeployStack(DeployStack {

bin/core/src/api/listener/router.rs

@@ -1,14 +1,18 @@
+use std::net::IpAddr;
+
 use axum::{Router, extract::Path, http::HeaderMap, routing::post};
 use komodo_client::entities::{
   action::Action, build::Build, procedure::Procedure, repo::Repo,
   resource::Resource, stack::Stack, sync::ResourceSync,
 };
+use mogh_auth_server::request_ip::RequestIp;
+use mogh_error::AddStatusCode;
+use mogh_rate_limit::WithFailureRateLimit;
 use reqwest::StatusCode;
 use serde::Deserialize;
-use serror::AddStatusCode;
 use tracing::Instrument;
 
-use crate::resource::KomodoResource;
+use crate::{auth::GENERAL_RATE_LIMITER, resource::KomodoResource};
 
 use super::{
   CustomSecret, ExtractBranch, VerifySecret,
@@ -47,9 +51,9 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
   .route(
     "/build/{id}",
     post(
-      |Path(Id { id }), headers: HeaderMap, body: String| async move {
+      |Path(Id { id }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let build =
-          auth_webhook::<P, Build>(&id, headers, &body).await?;
+          auth_webhook::<P, Build>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("BuildWebhook", id);
           async {
@@ -66,16 +70,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
   .route(
     "/repo/{id}/{option}",
     post(
-      |Path(IdAndOption::<RepoWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<RepoWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let repo =
-          auth_webhook::<P, Repo>(&id, headers, &body).await?;
+          auth_webhook::<P, Repo>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("RepoWebhook", id);
           async {
@@ -92,16 +96,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
   .route(
     "/stack/{id}/{option}",
     post(
-      |Path(IdAndOption::<StackWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<StackWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let stack =
-          auth_webhook::<P, Stack>(&id, headers, &body).await?;
+          auth_webhook::<P, Stack>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("StackWebhook", id);
           async {
@@ -118,16 +122,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
   .route(
     "/sync/{id}/{option}",
     post(
-      |Path(IdAndOption::<SyncWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<SyncWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let sync =
-          auth_webhook::<P, ResourceSync>(&id, headers, &body).await?;
+          auth_webhook::<P, ResourceSync>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ResourceSyncWebhook", id);
           async {
@@ -144,16 +148,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
   .route(
     "/procedure/{id}/{branch}",
     post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let procedure =
-          auth_webhook::<P, Procedure>(&id, headers, &body).await?;
+          auth_webhook::<P, Procedure>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ProcedureWebhook", id);
           async {
@@ -170,16 +174,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
   .route(
     "/action/{id}/{branch}",
     post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
         let action =
-          auth_webhook::<P, Action>(&id, headers, &body).await?;
+          auth_webhook::<P, Action>(&id, &headers, ip, &body).await?;
         tokio::spawn(async move {
           let span = info_span!("ActionWebhook", id);
           async {
@@ -196,7 +200,7 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
           .instrument(span)
           .await
         });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
       },
     ),
   )
@@ -204,17 +208,22 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
 
 async fn auth_webhook<P, R>(
   id: &str,
-  headers: HeaderMap,
+  headers: &HeaderMap,
+  ip: IpAddr,
   body: &str,
-) -> serror::Result<Resource<R::Config, R::Info>>
+) -> mogh_error::Result<Resource<R::Config, R::Info>>
 where
   P: VerifySecret,
   R: KomodoResource + CustomSecret,
 {
-  let resource = crate::resource::get::<R>(id)
-    .await
-    .status_code(StatusCode::BAD_REQUEST)?;
-  P::verify_secret(headers, body, R::custom_secret(&resource))
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(resource)
+  async {
+    let resource = crate::resource::get::<R>(id)
+      .await
+      .status_code(StatusCode::BAD_REQUEST)?;
+    P::verify_secret(headers, body, R::custom_secret(&resource))
+      .status_code(StatusCode::UNAUTHORIZED)?;
+    mogh_error::Result::Ok(resource)
+  }
+  .with_failure_rate_limit_using_ip(&GENERAL_RATE_LIMITER, &ip)
+  .await
 }

bin/core/src/api/mod.rs

@@ -1,11 +1,57 @@
-pub mod auth;
+use axum::{Extension, Router, routing::get};
+use komodo_client::entities::user::User;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_server::{
+  cors::cors_layer, session::memory_session_layer,
+  ui::serve_static_ui,
+};
+
+use crate::{auth::KomodoAuthImpl, config::core_config, ts_client};
+
 pub mod execute;
 pub mod read;
-pub mod terminal;
-pub mod user;
 pub mod write;
 
+mod listener;
+mod openapi;
+mod terminal;
+mod ws;
+
 #[derive(serde::Deserialize)]
 struct Variant {
   variant: String,
 }
+
+pub fn app() -> Router {
+  let config = core_config();
+  Router::new()
+    .merge(openapi::serve_docs())
+    .route("/version", get(|| async { env!("CARGO_PKG_VERSION") }))
+    .nest("/auth", mogh_auth_server::api::router::<KomodoAuthImpl>())
+    .nest("/user", user_router())
+    .nest("/read", read::router())
+    .nest("/write", write::router())
+    .nest("/execute", execute::router())
+    .nest("/terminal", terminal::router())
+    .nest("/listener", listener::router())
+    .nest("/ws", ws::router())
+    .nest("/client", ts_client::router())
+    .layer(memory_session_layer(config))
+    .fallback_service(serve_static_ui(
+      &config.ui_path,
+      config.ui_index_force_no_cache,
+    ))
+    .layer(cors_layer(config))
+}
+
+fn user_router() -> Router {
+  Router::new()
+    .route(
+      "/",
+      get(|Extension(user): Extension<User>| async { Json(user) }),
+    )
+    .layer(axum::middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, false>,
+    ))
+}

bin/core/src/api/openapi/docs.html

@@ -0,0 +1,18 @@
+<!doctype html>
+<html>
+
+<head>
+  <title>Komodo API Docs</title>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+</head>
+
+<body>
+
+  <script id="api-reference" type="application/json">
+    $spec
+</script>
+  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+</body>
+
+</html>

bin/core/src/api/openapi/mod.rs

@@ -0,0 +1,8 @@
+use komodo_client::openapi::KomodoApi;
+use utoipa::OpenApi as _;
+use utoipa_scalar::{Scalar, Servable as _};
+
+pub fn serve_docs() -> Scalar<utoipa::openapi::OpenApi> {
+  Scalar::with_url("/docs", KomodoApi::openapi())
+    .custom_html(include_str!("docs.html"))
+}

bin/core/src/api/read/action.rs

@@ -8,7 +8,7 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetAction {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
     Ok(
       get_check_permissions::<Action>(
         &self.action,
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for ListActions {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ActionListItem>> {
+  ) -> mogh_error::Result<Vec<ActionListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -61,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullActions {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullActionsResponse> {
+  ) -> mogh_error::Result<ListFullActionsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -83,7 +83,7 @@ impl Resolve<ReadArgs> for GetActionActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ActionActionState> {
+  ) -> mogh_error::Result<ActionActionState> {
     let action = get_check_permissions::<Action>(
       &self.action,
       user,
@@ -104,7 +104,7 @@ impl Resolve<ReadArgs> for GetActionsSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetActionsSummaryResponse> {
+  ) -> mogh_error::Result<GetActionsSummaryResponse> {
     let actions = resource::list_full_for_user::<Action>(
       Default::default(),
       user,

bin/core/src/api/read/alert.rs

@@ -8,15 +8,15 @@ use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
   },
-  entities::{
-    deployment::Deployment, permission::PermissionLevel,
-    server::Server, stack::Stack, sync::ResourceSync,
-  },
+  entities::permission::PermissionLevel,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
-  config::core_config, permission::list_resource_ids_for_user,
+  config::core_config,
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
   state::db_client,
 };
 
@@ -28,41 +28,11 @@ impl Resolve<ReadArgs> for ListAlerts {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListAlertsResponse> {
-    let mut query = self.query.unwrap_or_default();
-    if !user.admin && !core_config().transparent_mode {
-      let (server_ids, stack_ids, deployment_ids, sync_ids) = tokio::try_join!(
-        list_resource_ids_for_user::<Server>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        ),
-        list_resource_ids_for_user::<Stack>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        ),
-        list_resource_ids_for_user::<Deployment>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        ),
-        list_resource_ids_for_user::<ResourceSync>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        )
-      )?;
-      // All of the vecs will be non-none if !admin and !transparent mode.
-      query.extend(doc! {
-        "$or": [
-          { "target.type": "Server", "target.id": { "$in": &server_ids } },
-          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
-          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
-          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
-        ]
-      });
-    }
+  ) -> mogh_error::Result<ListAlertsResponse> {
+    // Alerts
+    let query = user_resource_target_query(user, self.query)
+      .await?
+      .unwrap_or_default();
 
     let alerts = find_collect(
       &db_client().alerts,
@@ -91,13 +61,21 @@ impl Resolve<ReadArgs> for ListAlerts {
 impl Resolve<ReadArgs> for GetAlert {
   async fn resolve(
     self,
-    _: &ReadArgs,
-  ) -> serror::Result<GetAlertResponse> {
-    Ok(
-      find_one_by_id(&db_client().alerts, &self.id)
-        .await
-        .context("failed to query db for alert")?
-        .context("no alert found with given id")?,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetAlertResponse> {
+    let alert = find_one_by_id(&db_client().alerts, &self.id)
+      .await
+      .context("failed to query db for alert")?
+      .context("no alert found with given id")?;
+    if user.admin || core_config().transparent_mode {
+      return Ok(alert);
+    }
+    check_user_target_access(
+      &alert.target,
+      user,
+      PermissionLevel::Read.into(),
     )
+    .await?;
+    Ok(alert)
   }
 }

bin/core/src/api/read/alerter.rs

@@ -8,7 +8,7 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetAlerter {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
     Ok(
       get_check_permissions::<Alerter>(
         &self.alerter,
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for ListAlerters {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<AlerterListItem>> {
+  ) -> mogh_error::Result<Vec<AlerterListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -61,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullAlerters {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullAlertersResponse> {
+  ) -> mogh_error::Result<ListFullAlertersResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -83,7 +83,7 @@ impl Resolve<ReadArgs> for GetAlertersSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetAlertersSummaryResponse> {
+  ) -> mogh_error::Result<GetAlertersSummaryResponse> {
     let query = match list_resource_ids_for_user::<Alerter>(
       None,
       user,

bin/core/src/api/read/build.rs

@@ -16,7 +16,7 @@ use komodo_client::{
     update::UpdateStatus,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -31,7 +31,7 @@ impl Resolve<ReadArgs> for GetBuild {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
     Ok(
       get_check_permissions::<Build>(
         &self.build,
@@ -47,7 +47,7 @@ impl Resolve<ReadArgs> for ListBuilds {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuildListItem>> {
+  ) -> mogh_error::Result<Vec<BuildListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -69,7 +69,7 @@ impl Resolve<ReadArgs> for ListFullBuilds {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullBuildsResponse> {
+  ) -> mogh_error::Result<ListFullBuildsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -91,7 +91,7 @@ impl Resolve<ReadArgs> for GetBuildActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<BuildActionState> {
+  ) -> mogh_error::Result<BuildActionState> {
     let build = get_check_permissions::<Build>(
       &self.build,
       user,
@@ -112,7 +112,7 @@ impl Resolve<ReadArgs> for GetBuildsSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildsSummaryResponse> {
+  ) -> mogh_error::Result<GetBuildsSummaryResponse> {
     let builds = resource::list_full_for_user::<Build>(
       Default::default(),
       user,
@@ -160,7 +160,7 @@ impl Resolve<ReadArgs> for GetBuildMonthlyStats {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<GetBuildMonthlyStatsResponse> {
+  ) -> mogh_error::Result<GetBuildMonthlyStatsResponse> {
     let curr_ts = unix_timestamp_ms() as i64;
     let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;
 
@@ -216,7 +216,7 @@ impl Resolve<ReadArgs> for ListBuildVersions {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuildVersionResponseItem>> {
+  ) -> mogh_error::Result<Vec<BuildVersionResponseItem>> {
     let ListBuildVersions {
       build,
       major,
@@ -273,7 +273,7 @@ impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonBuildExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonBuildExtraArgsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {

bin/core/src/api/read/builder.rs

@@ -8,7 +8,7 @@ use komodo_client::{
     permission::PermissionLevel,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetBuilder {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
     Ok(
       get_check_permissions::<Builder>(
         &self.builder,
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for ListBuilders {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuilderListItem>> {
+  ) -> mogh_error::Result<Vec<BuilderListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -61,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullBuilders {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullBuildersResponse> {
+  ) -> mogh_error::Result<ListFullBuildersResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -83,7 +83,7 @@ impl Resolve<ReadArgs> for GetBuildersSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildersSummaryResponse> {
+  ) -> mogh_error::Result<GetBuildersSummaryResponse> {
     let query = match list_resource_ids_for_user::<Builder>(
       None,
       user,

bin/core/src/api/read/deployment.rs

@@ -4,23 +4,31 @@ use anyhow::{Context, anyhow};
 use komodo_client::{
   api::read::*,
   entities::{
+    SwarmOrServer,
     deployment::{
       Deployment, DeploymentActionState, DeploymentConfig,
       DeploymentListItem, DeploymentState,
     },
-    docker::container::{Container, ContainerStats},
+    docker::{
+      container::{Container, ContainerStats},
+      service::SwarmService,
+    },
     permission::PermissionLevel,
     server::{Server, ServerState},
     update::Log,
   },
 };
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
 use periphery_client::api::{self, container::InspectContainer};
-use resolver_api::Resolve;
+use reqwest::StatusCode;
 
 use crate::{
-  helpers::{periphery_client, query::get_all_tags},
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
   permission::get_check_permissions,
-  resource,
+  resource::{self, setup_deployment_execution},
   state::{
     action_states, deployment_status_cache, server_status_cache,
   },
@@ -32,7 +40,7 @@ impl Resolve<ReadArgs> for GetDeployment {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
     Ok(
       get_check_permissions::<Deployment>(
         &self.deployment,
@@ -48,7 +56,7 @@ impl Resolve<ReadArgs> for ListDeployments {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<DeploymentListItem>> {
+  ) -> mogh_error::Result<Vec<DeploymentListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -78,7 +86,7 @@ impl Resolve<ReadArgs> for ListFullDeployments {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullDeploymentsResponse> {
+  ) -> mogh_error::Result<ListFullDeploymentsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -100,7 +108,7 @@ impl Resolve<ReadArgs> for GetDeploymentContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDeploymentContainerResponse> {
+  ) -> mogh_error::Result<GetDeploymentContainerResponse> {
     let deployment = get_check_permissions::<Deployment>(
       &self.deployment,
       user,
@@ -125,36 +133,49 @@ impl Resolve<ReadArgs> for GetDeploymentLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
     let GetDeploymentLog {
       deployment,
       tail,
       timestamps,
     } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
       &deployment,
       user,
       PermissionLevel::Read.logs(),
     )
     .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
-    }
-    let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)
-      .await?
-      .request(api::container::GetContainerLog {
-        name,
-        tail: cmp::min(tail, MAX_LOG_LENGTH),
-        timestamps,
-      })
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLog {
+          service: deployment.name,
+          tail,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
       .await
-      .context("failed at call to periphery")?;
-    Ok(res)
+      .context("Failed to get service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLog {
+          name: deployment.name,
+          tail: cmp::min(tail, MAX_LOG_LENGTH),
+          timestamps,
+        })
+        .await
+        .context("failed at call to periphery")?,
+    };
+
+    Ok(log)
   }
 }
 
@@ -162,7 +183,7 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
     let SearchDeploymentLog {
       deployment,
       terms,
@@ -170,32 +191,47 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
       invert,
       timestamps,
     } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
       &deployment,
       user,
       PermissionLevel::Read.logs(),
     )
     .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
-    }
-    let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)
-      .await?
-      .request(api::container::GetContainerLogSearch {
-        name,
-        terms,
-        combinator,
-        invert,
-        timestamps,
-      })
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLogSearch {
+          service: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
       .await
-      .context("failed at call to periphery")?;
-    Ok(res)
+      .context("Failed to search service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLogSearch {
+          name: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search container log from server")?,
+    };
+
+    Ok(log)
   }
 }
 
@@ -203,44 +239,80 @@ impl Resolve<ReadArgs> for InspectDeploymentContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
     let InspectDeploymentContainer { deployment } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+    let (deployment, swarm_or_server) = setup_deployment_execution(
       &deployment,
       user,
       PermissionLevel::Read.inspect(),
     )
     .await?;
-    if server_id.is_empty() {
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
       return Err(
         anyhow!(
-          "Cannot inspect deployment, not attached to any server"
+          "InspectDeploymentContainer should not be called for Deployment in Swarm Mode"
         )
-        .into(),
+        .status_code(StatusCode::BAD_REQUEST),
       );
-    }
-    let server = resource::get::<Server>(&server_id).await?;
+    };
+
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
+
     if cache.state != ServerState::Ok {
       return Err(
         anyhow!(
-          "Cannot inspect container: server is {:?}",
+          "Cannot inspect container: Server is {:?}",
           cache.state
         )
         .into(),
       );
     }
-    let res = periphery_client(&server)
+
+    periphery_client(&server)
       .await?
-      .request(InspectContainer { name })
-      .await?;
-    Ok(res)
+      .request(InspectContainer {
+        name: deployment.name,
+      })
+      .await
+      .context("Failed to inspect container on server")
+      .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDeploymentSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectDeploymentSwarmService { deployment } = self;
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &deployment,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectDeploymentSwarmService should only be called for Deployment in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: deployment.name,
+      },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
   }
 }
 
@@ -248,7 +320,7 @@ impl Resolve<ReadArgs> for GetDeploymentStats {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ContainerStats> {
+  ) -> mogh_error::Result<ContainerStats> {
     let Deployment {
       name,
       config: DeploymentConfig { server_id, .. },
@@ -278,7 +350,7 @@ impl Resolve<ReadArgs> for GetDeploymentActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<DeploymentActionState> {
+  ) -> mogh_error::Result<DeploymentActionState> {
     let deployment = get_check_permissions::<Deployment>(
       &self.deployment,
       user,
@@ -299,7 +371,7 @@ impl Resolve<ReadArgs> for GetDeploymentsSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDeploymentsSummaryResponse> {
+  ) -> mogh_error::Result<GetDeploymentsSummaryResponse> {
     let deployments = resource::list_full_for_user::<Deployment>(
       Default::default(),
       user,
@@ -342,7 +414,7 @@ impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonDeploymentExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonDeploymentExtraArgsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {

bin/core/src/api/read/mod.rs

@@ -1,4 +1,4 @@
-use std::{collections::HashSet, time::Instant};
+use std::collections::HashSet;
 
 use anyhow::{Context, anyhow};
 use axum::{
@@ -18,16 +18,19 @@ use komodo_client::{
     user::User,
   },
 };
-use resolver_api::Resolve;
-use response::Response;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Response;
+use mogh_error::{AddStatusCodeError, Json};
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;
 
 use crate::{
-  auth::auth_request,
+  auth::KomodoAuthImpl,
   config::{core_config, core_keys},
   helpers::periphery_client,
   resource,
@@ -49,6 +52,7 @@ mod repo;
 mod schedule;
 mod server;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
 mod terminal;
@@ -63,10 +67,13 @@ pub struct ReadArgs {
 }
 
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolve)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
+)]
+#[strum_discriminants(name(ReadRequestVariant), derive(Display))]
 #[args(ReadArgs)]
 #[response(Response)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 enum ReadRequest {
   GetVersion(GetVersion),
@@ -75,36 +82,28 @@ enum ReadRequest {
   ListGitProvidersFromConfig(ListGitProvidersFromConfig),
   ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),
 
-  // ==== USER ====
-  GetUsername(GetUsername),
-  GetPermission(GetPermission),
-  FindUser(FindUser),
-  ListUsers(ListUsers),
-  ListApiKeys(ListApiKeys),
-  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
-  ListPermissions(ListPermissions),
-  ListUserTargetPermissions(ListUserTargetPermissions),
-
-  // ==== USER GROUP ====
-  GetUserGroup(GetUserGroup),
-  ListUserGroups(ListUserGroups),
-
-  // ==== PROCEDURE ====
-  GetProceduresSummary(GetProceduresSummary),
-  GetProcedure(GetProcedure),
-  GetProcedureActionState(GetProcedureActionState),
-  ListProcedures(ListProcedures),
-  ListFullProcedures(ListFullProcedures),
-
-  // ==== ACTION ====
-  GetActionsSummary(GetActionsSummary),
-  GetAction(GetAction),
-  GetActionActionState(GetActionActionState),
-  ListActions(ListActions),
-  ListFullActions(ListFullActions),
-
-  // ==== SCHEDULE ====
-  ListSchedules(ListSchedules),
+  // ==== SWARM ====
+  GetSwarmsSummary(GetSwarmsSummary),
+  GetSwarm(GetSwarm),
+  GetSwarmActionState(GetSwarmActionState),
+  ListSwarms(ListSwarms),
+  InspectSwarm(InspectSwarm),
+  ListFullSwarms(ListFullSwarms),
+  ListSwarmNodes(ListSwarmNodes),
+  InspectSwarmNode(InspectSwarmNode),
+  ListSwarmConfigs(ListSwarmConfigs),
+  InspectSwarmConfig(InspectSwarmConfig),
+  ListSwarmSecrets(ListSwarmSecrets),
+  InspectSwarmSecret(InspectSwarmSecret),
+  ListSwarmStacks(ListSwarmStacks),
+  InspectSwarmStack(InspectSwarmStack),
+  ListSwarmTasks(ListSwarmTasks),
+  InspectSwarmTask(InspectSwarmTask),
+  ListSwarmServices(ListSwarmServices),
+  InspectSwarmService(InspectSwarmService),
+  GetSwarmServiceLog(GetSwarmServiceLog),
+  SearchSwarmServiceLog(SearchSwarmServiceLog),
+  ListSwarmNetworks(ListSwarmNetworks),
 
   // ==== SERVER ====
   GetServersSummary(GetServersSummary),
@@ -112,7 +111,6 @@ enum ReadRequest {
   GetServerState(GetServerState),
   GetPeripheryInformation(GetPeripheryInformation),
   GetServerActionState(GetServerActionState),
-  GetHistoricalServerStats(GetHistoricalServerStats),
   ListServers(ListServers),
   ListFullServers(ListFullServers),
 
@@ -139,6 +137,7 @@ enum ReadRequest {
   // ==== SERVER STATS ====
   GetSystemInformation(GetSystemInformation),
   GetSystemStats(GetSystemStats),
+  GetHistoricalServerStats(GetHistoricalServerStats),
   ListSystemProcesses(ListSystemProcesses),
 
   // ==== STACK ====
@@ -148,6 +147,7 @@ enum ReadRequest {
   GetStackLog(GetStackLog),
   SearchStackLog(SearchStackLog),
   InspectStackContainer(InspectStackContainer),
+  InspectStackSwarmService(InspectStackSwarmService),
   ListStacks(ListStacks),
   ListFullStacks(ListFullStacks),
   ListStackServices(ListStackServices),
@@ -163,6 +163,7 @@ enum ReadRequest {
   GetDeploymentLog(GetDeploymentLog),
   SearchDeploymentLog(SearchDeploymentLog),
   InspectDeploymentContainer(InspectDeploymentContainer),
+  InspectDeploymentSwarmService(InspectDeploymentSwarmService),
   ListDeployments(ListDeployments),
   ListFullDeployments(ListFullDeployments),
   ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
@@ -184,6 +185,23 @@ enum ReadRequest {
   ListRepos(ListRepos),
   ListFullRepos(ListFullRepos),
 
+  // ==== PROCEDURE ====
+  GetProceduresSummary(GetProceduresSummary),
+  GetProcedure(GetProcedure),
+  GetProcedureActionState(GetProcedureActionState),
+  ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
+  // ==== SCHEDULE ====
+  ListSchedules(ListSchedules),
+
   // ==== SYNC ====
   GetResourceSyncsSummary(GetResourceSyncsSummary),
   GetResourceSync(GetResourceSync),
@@ -211,6 +229,20 @@ enum ReadRequest {
   GetTag(GetTag),
   ListTags(ListTags),
 
+  // ==== USER ====
+  GetUsername(GetUsername),
+  GetPermission(GetPermission),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
   // ==== UPDATE ====
   GetUpdate(GetUpdate),
   ListUpdates(ListUpdates),
@@ -237,14 +269,16 @@ pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
     .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }
 
 async fn variant_handler(
   user: Extension<User>,
   Path(Variant { variant }): Path<Variant>,
   Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
+) -> mogh_error::Result<axum::response::Response> {
   let req: ReadRequest = serde_json::from_value(json!({
     "type": variant,
     "params": params,
@@ -255,16 +289,24 @@ async fn variant_handler(
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ReadRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
+) -> mogh_error::Result<axum::response::Response> {
   let req_id = Uuid::new_v4();
-  debug!("/read request | user: {}", user.username);
+  let variant: ReadRequestVariant = (&request).into();
+
+  debug!(
+    "READ REQUEST {req_id} | METHOD: {variant} | USER: {} ({})",
+    user.username, user.id
+  );
+
   let res = request.resolve(&ReadArgs { user }).await;
+
   if let Err(e) = &res {
-    debug!("/read request {req_id} error: {:#}", e.error);
+    debug!(
+      "READ REQUEST {req_id} | METHOD: {variant} | ERROR: {:#}",
+      e.error
+    );
   }
-  let elapsed = timer.elapsed();
-  debug!("/read request {req_id} | resolve time: {elapsed:?}");
+
   res.map(|res| res.0)
 }
 
@@ -272,18 +314,20 @@ impl Resolve<ReadArgs> for GetVersion {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<GetVersionResponse> {
+  ) -> mogh_error::Result<GetVersionResponse> {
     Ok(GetVersionResponse {
       version: env!("CARGO_PKG_VERSION").to_string(),
     })
   }
 }
 
+//
+
 impl Resolve<ReadArgs> for GetCoreInfo {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<GetCoreInfoResponse> {
+  ) -> mogh_error::Result<GetCoreInfoResponse> {
     let config = core_config();
     let info = GetCoreInfoResponse {
       title: config.title.clone(),
@@ -306,11 +350,13 @@ impl Resolve<ReadArgs> for GetCoreInfo {
   }
 }
 
+//
+
 impl Resolve<ReadArgs> for ListSecrets {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<ListSecretsResponse> {
+  ) -> mogh_error::Result<ListSecretsResponse> {
     let mut secrets = core_config()
       .secrets
       .keys()
@@ -332,7 +378,8 @@ impl Resolve<ReadArgs> for ListSecrets {
         }
         _ => {
           return Err(
-            anyhow!("target must be `Server` or `Builder`").into(),
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
           );
         }
       };
@@ -359,11 +406,13 @@ impl Resolve<ReadArgs> for ListSecrets {
   }
 }
 
+//
+
 impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListGitProvidersFromConfigResponse> {
+  ) -> mogh_error::Result<ListGitProvidersFromConfigResponse> {
     let mut providers = core_config().git_providers.clone();
 
     if let Some(target) = self.target {
@@ -391,7 +440,8 @@ impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
         }
         _ => {
           return Err(
-            anyhow!("target must be `Server` or `Builder`").into(),
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
           );
         }
       }
@@ -461,11 +511,13 @@ impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
   }
 }
 
+//
+
 impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<ListDockerRegistriesFromConfigResponse> {
+  ) -> mogh_error::Result<ListDockerRegistriesFromConfigResponse> {
     let mut registries = core_config().docker_registries.clone();
 
     if let Some(target) = self.target {
@@ -509,7 +561,7 @@ impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
 async fn merge_git_providers_for_server(
   providers: &mut Vec<GitProvider>,
   server_id: &str,
-) -> serror::Result<()> {
+) -> mogh_error::Result<()> {
   let server = resource::get::<Server>(server_id).await?;
   let more = periphery_client(&server)
     .await?
@@ -548,7 +600,7 @@ fn merge_git_providers(
 async fn merge_docker_registries_for_server(
   registries: &mut Vec<DockerRegistry>,
   server_id: &str,
-) -> serror::Result<()> {
+) -> mogh_error::Result<()> {
   let server = resource::get::<Server>(server_id).await?;
   let more = periphery_client(&server)
     .await?

bin/core/src/api/read/onboarding_key.rs

@@ -5,9 +5,9 @@ use database::mungos::find::find_collect;
 use komodo_client::api::read::{
   ListOnboardingKeys, ListOnboardingKeysResponse,
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{api::read::ReadArgs, state::db_client};
 
@@ -17,7 +17,7 @@ impl Resolve<ReadArgs> for ListOnboardingKeys {
   async fn resolve(
     self,
     ReadArgs { user: admin }: &ReadArgs,
-  ) -> serror::Result<ListOnboardingKeysResponse> {
+  ) -> mogh_error::Result<ListOnboardingKeysResponse> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")

bin/core/src/api/read/permission.rs

@@ -8,7 +8,7 @@ use komodo_client::{
   },
   entities::permission::PermissionLevel,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_user_permission_on_target, state::db_client,
@@ -20,7 +20,7 @@ impl Resolve<ReadArgs> for ListPermissions {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListPermissionsResponse> {
+  ) -> mogh_error::Result<ListPermissionsResponse> {
     let res = find_collect(
       &db_client().permissions,
       doc! {
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for GetPermission {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPermissionResponse> {
+  ) -> mogh_error::Result<GetPermissionResponse> {
     if user.admin {
       return Ok(PermissionLevel::Write.all());
     }
@@ -51,7 +51,7 @@ impl Resolve<ReadArgs> for ListUserTargetPermissions {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUserTargetPermissionsResponse> {
+  ) -> mogh_error::Result<ListUserTargetPermissionsResponse> {
     if !user.admin {
       return Err(anyhow!("this method is admin only").into());
     }

bin/core/src/api/read/procedure.rs

@@ -6,7 +6,7 @@ use komodo_client::{
     procedure::{Procedure, ProcedureState},
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -21,7 +21,7 @@ impl Resolve<ReadArgs> for GetProcedure {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProcedureResponse> {
+  ) -> mogh_error::Result<GetProcedureResponse> {
     Ok(
       get_check_permissions::<Procedure>(
         &self.procedure,
@@ -37,7 +37,7 @@ impl Resolve<ReadArgs> for ListProcedures {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListProceduresResponse> {
+  ) -> mogh_error::Result<ListProceduresResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -59,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullProcedures {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullProceduresResponse> {
+  ) -> mogh_error::Result<ListFullProceduresResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -81,7 +81,7 @@ impl Resolve<ReadArgs> for GetProceduresSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProceduresSummaryResponse> {
+  ) -> mogh_error::Result<GetProceduresSummaryResponse> {
     let procedures = resource::list_full_for_user::<Procedure>(
       Default::default(),
       user,
@@ -127,7 +127,7 @@ impl Resolve<ReadArgs> for GetProcedureActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProcedureActionStateResponse> {
+  ) -> mogh_error::Result<GetProcedureActionStateResponse> {
     let procedure = get_check_permissions::<Procedure>(
       &self.procedure,
       user,

bin/core/src/api/read/provider.rs

@@ -5,7 +5,7 @@ use database::mungos::{
   mongodb::options::FindOptions,
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::state::db_client;
 
@@ -15,7 +15,7 @@ impl Resolve<ReadArgs> for GetGitProviderAccount {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetGitProviderAccountResponse> {
+  ) -> mogh_error::Result<GetGitProviderAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can read git provider accounts").into(),
@@ -35,7 +35,7 @@ impl Resolve<ReadArgs> for ListGitProviderAccounts {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListGitProviderAccountsResponse> {
+  ) -> mogh_error::Result<ListGitProviderAccountsResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can read git provider accounts").into(),
@@ -65,7 +65,7 @@ impl Resolve<ReadArgs> for GetDockerRegistryAccount {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDockerRegistryAccountResponse> {
+  ) -> mogh_error::Result<GetDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can read docker registry accounts")
@@ -87,7 +87,7 @@ impl Resolve<ReadArgs> for ListDockerRegistryAccounts {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerRegistryAccountsResponse> {
+  ) -> mogh_error::Result<ListDockerRegistryAccountsResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can read docker registry accounts")

bin/core/src/api/read/repo.rs

@@ -6,7 +6,7 @@ use komodo_client::{
     repo::{Repo, RepoActionState, RepoListItem, RepoState},
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags,
@@ -21,7 +21,7 @@ impl Resolve<ReadArgs> for GetRepo {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
     Ok(
       get_check_permissions::<Repo>(
         &self.repo,
@@ -37,7 +37,7 @@ impl Resolve<ReadArgs> for ListRepos {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<RepoListItem>> {
+  ) -> mogh_error::Result<Vec<RepoListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -59,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullRepos {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullReposResponse> {
+  ) -> mogh_error::Result<ListFullReposResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -81,7 +81,7 @@ impl Resolve<ReadArgs> for GetRepoActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<RepoActionState> {
+  ) -> mogh_error::Result<RepoActionState> {
     let repo = get_check_permissions::<Repo>(
       &self.repo,
       user,
@@ -102,7 +102,7 @@ impl Resolve<ReadArgs> for GetReposSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetReposSummaryResponse> {
+  ) -> mogh_error::Result<GetReposSummaryResponse> {
     let repos = resource::list_full_for_user::<Repo>(
       Default::default(),
       user,

bin/core/src/api/read/schedule.rs

@@ -10,7 +10,7 @@ use komodo_client::{
     schedule::Schedule,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::{get_all_tags, get_last_run_at},
@@ -24,7 +24,7 @@ impl Resolve<ReadArgs> for ListSchedules {
   async fn resolve(
     self,
     args: &ReadArgs,
-  ) -> serror::Result<Vec<Schedule>> {
+  ) -> mogh_error::Result<Vec<Schedule>> {
     let all_tags = get_all_tags(None).await?;
     let (actions, procedures) = tokio::try_join!(
       list_full_for_user::<Action>(

bin/core/src/api/read/server.rs

@@ -35,6 +35,8 @@ use komodo_client::{
     update::Log,
   },
 };
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
 use periphery_client::api::{
   self as periphery,
   container::InspectContainer,
@@ -43,8 +45,6 @@ use periphery_client::api::{
   },
 };
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
 use tokio::sync::Mutex;
 
 use crate::{
@@ -61,7 +61,7 @@ impl Resolve<ReadArgs> for GetServersSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServersSummaryResponse> {
+  ) -> mogh_error::Result<GetServersSummaryResponse> {
     let servers = resource::list_for_user::<Server>(
       Default::default(),
       user,
@@ -103,7 +103,7 @@ impl Resolve<ReadArgs> for GetServer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
     Ok(
       get_check_permissions::<Server>(
         &self.server,
@@ -119,7 +119,7 @@ impl Resolve<ReadArgs> for ListServers {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ServerListItem>> {
+  ) -> mogh_error::Result<Vec<ServerListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -141,7 +141,7 @@ impl Resolve<ReadArgs> for ListFullServers {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullServersResponse> {
+  ) -> mogh_error::Result<ListFullServersResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -163,7 +163,7 @@ impl Resolve<ReadArgs> for GetServerState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServerStateResponse> {
+  ) -> mogh_error::Result<GetServerStateResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -185,7 +185,7 @@ impl Resolve<ReadArgs> for GetServerActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ServerActionState> {
+  ) -> mogh_error::Result<ServerActionState> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -206,7 +206,7 @@ impl Resolve<ReadArgs> for GetPeripheryInformation {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPeripheryInformationResponse> {
+  ) -> mogh_error::Result<GetPeripheryInformationResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -229,7 +229,7 @@ impl Resolve<ReadArgs> for GetSystemInformation {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<SystemInformation> {
+  ) -> mogh_error::Result<SystemInformation> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -253,7 +253,7 @@ impl Resolve<ReadArgs> for GetSystemStats {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetSystemStatsResponse> {
+  ) -> mogh_error::Result<GetSystemStatsResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -285,7 +285,7 @@ impl Resolve<ReadArgs> for ListSystemProcesses {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListSystemProcessesResponse> {
+  ) -> mogh_error::Result<ListSystemProcessesResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -320,7 +320,7 @@ impl Resolve<ReadArgs> for GetHistoricalServerStats {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetHistoricalServerStatsResponse> {
+  ) -> mogh_error::Result<GetHistoricalServerStatsResponse> {
     let GetHistoricalServerStats {
       server,
       granularity,
@@ -373,7 +373,7 @@ impl Resolve<ReadArgs> for ListDockerContainers {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerContainersResponse> {
+  ) -> mogh_error::Result<ListDockerContainersResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -383,8 +383,8 @@ impl Resolve<ReadArgs> for ListDockerContainers {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(containers) = &cache.containers {
-      Ok(containers.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.containers.clone())
     } else {
       Ok(Vec::new())
     }
@@ -395,7 +395,7 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListAllDockerContainersResponse> {
+  ) -> mogh_error::Result<ListAllDockerContainersResponse> {
     let servers = resource::list_for_user::<Server>(
       ServerQuery::builder().names(self.servers.clone()).build(),
       user,
@@ -410,10 +410,11 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
       let cache = server_status_cache()
         .get_or_insert_default(&server.id)
         .await;
-      let Some(more) = &cache.containers else {
+      let Some(docker) = &cache.docker else {
         continue;
       };
-      let more = more
+      let more = docker
+        .containers
         .iter()
         .filter(|container| {
           self.containers.is_empty()
@@ -431,7 +432,7 @@ impl Resolve<ReadArgs> for GetDockerContainersSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDockerContainersSummaryResponse> {
+  ) -> mogh_error::Result<GetDockerContainersSummaryResponse> {
     let servers = resource::list_full_for_user::<Server>(
       Default::default(),
       user,
@@ -448,8 +449,8 @@ impl Resolve<ReadArgs> for GetDockerContainersSummary {
         .get_or_insert_default(&server.id)
         .await;
 
-      if let Some(containers) = &cache.containers {
-        for container in containers {
+      if let Some(docker) = &cache.docker {
+        for container in &docker.containers {
           res.total += 1;
           match container.state {
             ContainerStateStatusEnum::Created
@@ -471,7 +472,7 @@ impl Resolve<ReadArgs> for InspectDockerContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -506,7 +507,7 @@ impl Resolve<ReadArgs> for GetContainerLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
     let GetContainerLog {
       server,
       container,
@@ -536,7 +537,7 @@ impl Resolve<ReadArgs> for SearchContainerLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
     let SearchContainerLog {
       server,
       container,
@@ -570,7 +571,7 @@ impl Resolve<ReadArgs> for GetResourceMatchingContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetResourceMatchingContainerResponse> {
+  ) -> mogh_error::Result<GetResourceMatchingContainerResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -631,7 +632,7 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerNetworksResponse> {
+  ) -> mogh_error::Result<ListDockerNetworksResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -641,8 +642,8 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(networks) = &cache.networks {
-      Ok(networks.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.networks.clone())
     } else {
       Ok(Vec::new())
     }
@@ -653,7 +654,7 @@ impl Resolve<ReadArgs> for InspectDockerNetwork {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Network> {
+  ) -> mogh_error::Result<Network> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -684,7 +685,7 @@ impl Resolve<ReadArgs> for ListDockerImages {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerImagesResponse> {
+  ) -> mogh_error::Result<ListDockerImagesResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -694,8 +695,8 @@ impl Resolve<ReadArgs> for ListDockerImages {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(images) = &cache.images {
-      Ok(images.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.images.clone())
     } else {
       Ok(Vec::new())
     }
@@ -706,7 +707,7 @@ impl Resolve<ReadArgs> for InspectDockerImage {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Image> {
+  ) -> mogh_error::Result<Image> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -734,7 +735,7 @@ impl Resolve<ReadArgs> for ListDockerImageHistory {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ImageHistoryResponseItem>> {
+  ) -> mogh_error::Result<Vec<ImageHistoryResponseItem>> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -765,7 +766,7 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerVolumesResponse> {
+  ) -> mogh_error::Result<ListDockerVolumesResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -775,8 +776,8 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(volumes) = &cache.volumes {
-      Ok(volumes.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.volumes.clone())
     } else {
       Ok(Vec::new())
     }
@@ -787,7 +788,7 @@ impl Resolve<ReadArgs> for InspectDockerVolume {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Volume> {
+  ) -> mogh_error::Result<Volume> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -815,7 +816,7 @@ impl Resolve<ReadArgs> for ListComposeProjects {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListComposeProjectsResponse> {
+  ) -> mogh_error::Result<ListComposeProjectsResponse> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -825,8 +826,8 @@ impl Resolve<ReadArgs> for ListComposeProjects {
     let cache = server_status_cache()
       .get_or_insert_default(&server.id)
       .await;
-    if let Some(projects) = &cache.projects {
-      Ok(projects.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.projects.clone())
     } else {
       Ok(Vec::new())
     }

bin/core/src/api/read/stack.rs

@@ -4,24 +4,30 @@ use anyhow::{Context, anyhow};
 use komodo_client::{
   api::read::*,
   entities::{
-    docker::container::Container,
+    SwarmOrServer,
+    docker::{
+      container::Container, service::SwarmService, stack::SwarmStack,
+    },
     permission::PermissionLevel,
-    server::{Server, ServerState},
     stack::{Stack, StackActionState, StackListItem, StackState},
   },
 };
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
 use periphery_client::api::{
   compose::{GetComposeLog, GetComposeLogSearch},
   container::InspectContainer,
 };
-use resolver_api::Resolve;
+use reqwest::StatusCode;
 
 use crate::{
-  helpers::{periphery_client, query::get_all_tags},
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
   permission::get_check_permissions,
   resource,
-  stack::get_stack_and_server,
-  state::{action_states, server_status_cache, stack_status_cache},
+  stack::setup_stack_execution,
+  state::{action_states, stack_status_cache},
 };
 
 use super::ReadArgs;
@@ -30,7 +36,7 @@ impl Resolve<ReadArgs> for GetStack {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Stack> {
+  ) -> mogh_error::Result<Stack> {
     Ok(
       get_check_permissions::<Stack>(
         &self.stack,
@@ -46,7 +52,7 @@ impl Resolve<ReadArgs> for ListStackServices {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListStackServicesResponse> {
+  ) -> mogh_error::Result<ListStackServicesResponse> {
     let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
@@ -70,31 +76,59 @@ impl Resolve<ReadArgs> for GetStackLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStackLogResponse> {
+  ) -> mogh_error::Result<GetStackLogResponse> {
     let GetStackLog {
       stack,
-      services,
+      mut services,
       tail,
       timestamps,
     } = self;
-    let (stack, server) = get_stack_and_server(
+    let (stack, swarm_or_server) = setup_stack_execution(
       &stack,
       user,
       PermissionLevel::Read.logs(),
-      true,
     )
     .await?;
-    let res = periphery_client(&server)
-      .await?
-      .request(GetComposeLog {
-        project: stack.project_name(false),
-        services,
-        tail,
-        timestamps,
-      })
-      .await
-      .context("Failed to get stack log from periphery")?;
-    Ok(res)
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLog {
+            // The actual service name on swarm will be stackname_servicename
+            service: format!(
+              "{}_{service}",
+              stack.project_name(false)
+            ),
+            tail,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLog {
+          project: stack.project_name(false),
+          services,
+          tail,
+          timestamps,
+        })
+        .await
+        .context("Failed to get stack log from periphery")?,
+    };
+
+    Ok(log)
   }
 }
 
@@ -102,35 +136,61 @@ impl Resolve<ReadArgs> for SearchStackLog {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<SearchStackLogResponse> {
+  ) -> mogh_error::Result<SearchStackLogResponse> {
     let SearchStackLog {
       stack,
-      services,
+      mut services,
       terms,
       combinator,
       invert,
       timestamps,
     } = self;
-    let (stack, server) = get_stack_and_server(
+    let (stack, swarm_or_server) = setup_stack_execution(
       &stack,
       user,
       PermissionLevel::Read.logs(),
-      true,
     )
     .await?;
-    let res = periphery_client(&server)
-      .await?
-      .request(GetComposeLogSearch {
-        project: stack.project_name(false),
-        services,
-        terms,
-        combinator,
-        invert,
-        timestamps,
-      })
-      .await
-      .context("Failed to search stack log from periphery")?;
-    Ok(res)
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLogSearch {
+            service,
+            terms,
+            combinator,
+            invert,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLogSearch {
+          project: stack.project_name(false),
+          services,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search stack log from periphery")?,
+    };
+
+    Ok(log)
   }
 }
 
@@ -138,40 +198,31 @@ impl Resolve<ReadArgs> for InspectStackContainer {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
     let InspectStackContainer { stack, service } = self;
-    let stack = get_check_permissions::<Stack>(
+    let (stack, swarm_or_server) = setup_stack_execution(
       &stack,
       user,
       PermissionLevel::Read.inspect(),
     )
     .await?;
-    if stack.config.server_id.is_empty() {
-      return Err(
-        anyhow!("Cannot inspect stack, not attached to any server")
-          .into(),
-      );
-    }
-    let server =
-      resource::get::<Server>(&stack.config.server_id).await?;
-    let cache = server_status_cache()
-      .get_or_insert_default(&server.id)
-      .await;
-    if cache.state != ServerState::Ok {
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
       return Err(
         anyhow!(
-          "Cannot inspect container: server is {:?}",
-          cache.state
+          "InspectStackContainer should not be called for Stack in Swarm Mode"
         )
-        .into(),
+        .status_code(StatusCode::BAD_REQUEST),
       );
-    }
+    };
+
     let services = &stack_status_cache()
       .get(&stack.id)
       .await
       .unwrap_or_default()
       .curr
       .services;
+
     let Some(name) = services
       .iter()
       .find(|s| s.service == service)
@@ -181,19 +232,106 @@ impl Resolve<ReadArgs> for InspectStackContainer {
         "No service found matching '{service}'. Was the stack last deployed manually?"
       ).into());
     };
+
     let res = periphery_client(&server)
       .await?
       .request(InspectContainer { name })
-      .await?;
+      .await
+      .context("Failed to inspect container on server")?;
+
     Ok(res)
   }
 }
 
+impl Resolve<ReadArgs> for InspectStackSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectStackSwarmService { stack, service } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmService should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    let services = &stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services;
+
+    let Some(service) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| {
+        s.swarm_service.as_ref().and_then(|c| c.name.clone())
+      })
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService { service },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectStackSwarmInfo {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmStack> {
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &self.stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmInfo should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: stack.project_name(false),
+      },
+    )
+    .await
+    .context("Failed to inspect stack info on swarm")
+    .map_err(Into::into)
+  }
+}
+
 impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonStackExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonStackExtraArgsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -206,7 +344,7 @@ impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
       &all_tags,
     )
     .await
-    .context("failed to get resources matching query")?;
+    .context("Failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -227,7 +365,7 @@ impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonStackBuildExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonStackBuildExtraArgsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -240,7 +378,7 @@ impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
       &all_tags,
     )
     .await
-    .context("failed to get resources matching query")?;
+    .context("Failed to get resources matching query")?;
 
     // first collect with guaranteed uniqueness
     let mut res = HashSet::<String>::new();
@@ -261,7 +399,7 @@ impl Resolve<ReadArgs> for ListStacks {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<StackListItem>> {
+  ) -> mogh_error::Result<Vec<StackListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -297,7 +435,7 @@ impl Resolve<ReadArgs> for ListFullStacks {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullStacksResponse> {
+  ) -> mogh_error::Result<ListFullStacksResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -319,7 +457,7 @@ impl Resolve<ReadArgs> for GetStackActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<StackActionState> {
+  ) -> mogh_error::Result<StackActionState> {
     let stack = get_check_permissions::<Stack>(
       &self.stack,
       user,
@@ -340,7 +478,7 @@ impl Resolve<ReadArgs> for GetStacksSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStacksSummaryResponse> {
+  ) -> mogh_error::Result<GetStacksSummaryResponse> {
     let stacks = resource::list_full_for_user::<Stack>(
       Default::default(),
       user,
@@ -348,7 +486,7 @@ impl Resolve<ReadArgs> for GetStacksSummary {
       &[],
     )
     .await
-    .context("failed to get stacks from db")?;
+    .context("Failed to get stacks from database")?;
 
     let mut res = GetStacksSummaryResponse::default();
 

bin/core/src/api/read/swarm.rs

@@ -0,0 +1,522 @@
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    swarm::{Swarm, SwarmActionState, SwarmListItem, SwarmState},
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  helpers::{query::get_all_tags, swarm::swarm_request},
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, server_status_cache, swarm_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Swarm> {
+    Ok(
+      get_check_permissions::<Swarm>(
+        &self.swarm,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<SwarmListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullSwarmsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmActionState> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .swarm
+      .get(&swarm.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmsSummaryResponse> {
+    let swarms = resource::list_full_for_user::<Swarm>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get swarms from db")?;
+
+    let mut res = GetSwarmsSummaryResponse::default();
+
+    let cache = swarm_status_cache();
+
+    for swarm in swarms {
+      res.total += 1;
+
+      match cache
+        .get(&swarm.id)
+        .await
+        .map(|status| status.state)
+        .unwrap_or_default()
+      {
+        SwarmState::Unknown => {
+          res.unknown += 1;
+        }
+        SwarmState::Healthy => {
+          res.healthy += 1;
+        }
+        SwarmState::Unhealthy => {
+          res.unhealthy += 1;
+        }
+        SwarmState::Down => {
+          res.down += 1;
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    let inspect = cache
+      .inspect
+      .as_ref()
+      .cloned()
+      .context("SwarmInspectInfo not available")?;
+    Ok(inspect)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNodes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmNodesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.nodes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmNode {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmNodeResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmNode {
+        node: self.node,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmServicesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.services.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmServiceResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: self.service,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLog {
+        service: self.service,
+        tail: self.tail,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SearchSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLogSearch {
+        service: self.service,
+        terms: self.terms,
+        combinator: self.combinator,
+        invert: self.invert,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmTasks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmTasksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.tasks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmTask {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmTaskResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmTask {
+        task: self.task,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmSecrets {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmSecretsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.secrets.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmSecret {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmSecretResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmSecret {
+        secret: self.secret,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmConfigs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmConfigsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.configs.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmConfigResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmConfig {
+        config: self.config,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmStacksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.stacks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmStackResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: self.stack,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNetworks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    let cache = server_status_cache();
+
+    for server_id in swarm.config.server_ids {
+      let Some(status) = cache.get(&server_id).await else {
+        continue;
+      };
+      let Some(docker) = &status.docker else {
+        continue;
+      };
+      let networks = docker
+        .networks
+        .iter()
+        .filter(|network| {
+          network.driver.as_deref() == Some("overlay")
+        })
+        .cloned()
+        .collect::<Vec<_>>();
+      return Ok(networks);
+    }
+
+    Err(
+      anyhow!(
+        "Failed to retrieve swarm networks from any manager node."
+      )
+      .into(),
+    )
+  }
+}

bin/core/src/api/read/sync.rs

@@ -8,7 +8,7 @@ use komodo_client::{
     },
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::get_all_tags, permission::get_check_permissions,
@@ -21,7 +21,7 @@ impl Resolve<ReadArgs> for GetResourceSync {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     Ok(
       get_check_permissions::<ResourceSync>(
         &self.sync,
@@ -37,7 +37,7 @@ impl Resolve<ReadArgs> for ListResourceSyncs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ResourceSyncListItem>> {
+  ) -> mogh_error::Result<Vec<ResourceSyncListItem>> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -59,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullResourceSyncs {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullResourceSyncsResponse> {
+  ) -> mogh_error::Result<ListFullResourceSyncsResponse> {
     let all_tags = if self.query.tags.is_empty() {
       vec![]
     } else {
@@ -81,7 +81,7 @@ impl Resolve<ReadArgs> for GetResourceSyncActionState {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ResourceSyncActionState> {
+  ) -> mogh_error::Result<ResourceSyncActionState> {
     let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       user,
@@ -102,7 +102,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetResourceSyncsSummaryResponse> {
+  ) -> mogh_error::Result<GetResourceSyncsSummaryResponse> {
     let resource_syncs =
       resource::list_full_for_user::<ResourceSync>(
         Default::default(),

bin/core/src/api/read/tag.rs

@@ -7,20 +7,23 @@ use komodo_client::{
   api::read::{GetTag, ListTags},
   entities::tag::Tag,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{helpers::query::get_tag, state::db_client};
 
 use super::ReadArgs;
 
 impl Resolve<ReadArgs> for GetTag {
-  async fn resolve(self, _: &ReadArgs) -> serror::Result<Tag> {
+  async fn resolve(self, _: &ReadArgs) -> mogh_error::Result<Tag> {
     Ok(get_tag(&self.tag).await?)
   }
 }
 
 impl Resolve<ReadArgs> for ListTags {
-  async fn resolve(self, _: &ReadArgs) -> serror::Result<Vec<Tag>> {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<Vec<Tag>> {
     let res = find_collect(
       &db_client().tags,
       self.query,

bin/core/src/api/read/terminal.rs

@@ -13,9 +13,9 @@ use komodo_client::{
     user::User,
   },
 };
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
 
 use crate::{
   helpers::periphery_client, permission::get_check_permissions,
@@ -30,7 +30,7 @@ impl Resolve<ReadArgs> for ListTerminals {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListTerminalsResponse> {
+  ) -> mogh_error::Result<ListTerminalsResponse> {
     let Some(target) = self.target else {
       return list_all_terminals_for_user(user, self.use_names).await;
     };
@@ -88,7 +88,7 @@ impl Resolve<ReadArgs> for ListTerminals {
 async fn list_all_terminals_for_user(
   user: &User,
   use_names: bool,
-) -> serror::Result<Vec<Terminal>> {
+) -> mogh_error::Result<Vec<Terminal>> {
   let (mut servers, stacks, deployments) = tokio::try_join!(
     resource::list_full_for_user::<Server>(
       Default::default(),
@@ -230,7 +230,7 @@ async fn list_all_terminals_for_user(
 async fn list_terminals_on_server(
   server: &Server,
   target: Option<TerminalTarget>,
-) -> serror::Result<Vec<Terminal>> {
+) -> mogh_error::Result<Vec<Terminal>> {
   periphery_client(server)
     .await?
     .request(periphery_client::api::terminal::ListTerminals {

bin/core/src/api/read/toml.rs

@@ -11,10 +11,11 @@ use komodo_client::{
     builder::Builder, deployment::Deployment,
     permission::PermissionLevel, procedure::Procedure, repo::Repo,
     resource::ResourceQuery, server::Server, stack::Stack,
-    sync::ResourceSync, toml::ResourcesToml, user::User,
+    swarm::Swarm, sync::ResourceSync, toml::ResourcesToml,
+    user::User,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   helpers::query::{
@@ -160,7 +161,7 @@ impl Resolve<ReadArgs> for ExportAllResourcesToToml {
   async fn resolve(
     self,
     args: &ReadArgs,
-  ) -> serror::Result<ExportAllResourcesToTomlResponse> {
+  ) -> mogh_error::Result<ExportAllResourcesToTomlResponse> {
     let targets = if self.include_resources {
       get_all_targets(&self.tags, &args.user).await?
     } else {
@@ -196,7 +197,7 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
   async fn resolve(
     self,
     args: &ReadArgs,
-  ) -> serror::Result<ExportResourcesToTomlResponse> {
+  ) -> mogh_error::Result<ExportResourcesToTomlResponse> {
     let ExportResourcesToToml {
       targets,
       user_groups,
@@ -207,42 +208,21 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
     let ReadArgs { user } = args;
     for target in targets {
       match target {
-        ResourceTarget::Alerter(id) => {
-          let mut alerter = get_check_permissions::<Alerter>(
+        ResourceTarget::Swarm(id) => {
+          let mut swarm = get_check_permissions::<Swarm>(
             &id,
             user,
             PermissionLevel::Read.into(),
           )
           .await?;
-          Alerter::replace_ids(&mut alerter);
-          res.alerters.push(convert_resource::<Alerter>(
-            alerter,
+          Swarm::replace_ids(&mut swarm);
+          res.swarms.push(convert_resource::<Swarm>(
+            swarm,
             false,
             vec![],
             &id_to_tags,
           ))
         }
-        ResourceTarget::ResourceSync(id) => {
-          let mut sync = get_check_permissions::<ResourceSync>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          if sync.config.file_contents.is_empty()
-            && (sync.config.files_on_host
-              || !sync.config.repo.is_empty()
-              || !sync.config.linked_repo.is_empty())
-          {
-            ResourceSync::replace_ids(&mut sync);
-            res.resource_syncs.push(convert_resource::<ResourceSync>(
-              sync,
-              false,
-              vec![],
-              &id_to_tags,
-            ))
-          }
-        }
         ResourceTarget::Server(id) => {
           let mut server = get_check_permissions::<Server>(
             &id,
@@ -258,31 +238,16 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
-        ResourceTarget::Builder(id) => {
-          let mut builder = get_check_permissions::<Builder>(
+        ResourceTarget::Stack(id) => {
+          let mut stack = get_check_permissions::<Stack>(
             &id,
             user,
             PermissionLevel::Read.into(),
           )
           .await?;
-          Builder::replace_ids(&mut builder);
-          res.builders.push(convert_resource::<Builder>(
-            builder,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Build(id) => {
-          let mut build = get_check_permissions::<Build>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Build::replace_ids(&mut build);
-          res.builds.push(convert_resource::<Build>(
-            build,
+          Stack::replace_ids(&mut stack);
+          res.stacks.push(convert_resource::<Stack>(
+            stack,
             false,
             vec![],
             &id_to_tags,
@@ -303,6 +268,21 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
+        ResourceTarget::Build(id) => {
+          let mut build = get_check_permissions::<Build>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Build::replace_ids(&mut build);
+          res.builds.push(convert_resource::<Build>(
+            build,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
         ResourceTarget::Repo(id) => {
           let mut repo = get_check_permissions::<Repo>(
             &id,
@@ -318,21 +298,6 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ))
         }
-        ResourceTarget::Stack(id) => {
-          let mut stack = get_check_permissions::<Stack>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Stack::replace_ids(&mut stack);
-          res.stacks.push(convert_resource::<Stack>(
-            stack,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
         ResourceTarget::Procedure(id) => {
           let mut procedure = get_check_permissions::<Procedure>(
             &id,
@@ -363,6 +328,57 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
             &id_to_tags,
           ));
         }
+        ResourceTarget::ResourceSync(id) => {
+          let mut sync = get_check_permissions::<ResourceSync>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          if sync.config.file_contents.is_empty()
+            && (sync.config.files_on_host
+              || !sync.config.repo.is_empty()
+              || !sync.config.linked_repo.is_empty())
+          {
+            ResourceSync::replace_ids(&mut sync);
+            res.resource_syncs.push(convert_resource::<ResourceSync>(
+              sync,
+              false,
+              vec![],
+              &id_to_tags,
+            ))
+          }
+        }
+        ResourceTarget::Builder(id) => {
+          let mut builder = get_check_permissions::<Builder>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Builder::replace_ids(&mut builder);
+          res.builders.push(convert_resource::<Builder>(
+            builder,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Alerter(id) => {
+          let mut alerter = get_check_permissions::<Alerter>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Alerter::replace_ids(&mut alerter);
+          res.alerters.push(convert_resource::<Alerter>(
+            alerter,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
         ResourceTarget::System(_) => continue,
       };
     }

bin/core/src/api/read/update.rs

@@ -1,6 +1,6 @@
 use std::collections::HashMap;
 
-use anyhow::{Context, anyhow};
+use anyhow::Context;
 use database::mungos::{
   by_id::find_one_by_id,
   find::find_collect,
@@ -9,27 +9,18 @@ use database::mungos::{
 use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
-    ResourceTarget,
-    action::Action,
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
     permission::PermissionLevel,
-    procedure::Procedure,
-    repo::Repo,
-    server::Server,
-    stack::Stack,
-    sync::ResourceSync,
     update::{Update, UpdateListItem},
     user::User,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{
   config::core_config,
-  permission::{get_check_permissions, list_resource_ids_for_user},
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
   state::db_client,
 };
 
@@ -41,159 +32,8 @@ impl Resolve<ReadArgs> for ListUpdates {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUpdatesResponse> {
-    let query = if user.admin || core_config().transparent_mode {
-      self.query
-    } else {
-      let server_query = list_resource_ids_for_user::<Server>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Server", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Server" });
-
-      let deployment_query =
-        list_resource_ids_for_user::<Deployment>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Deployment", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Deployment" });
-
-      let stack_query = list_resource_ids_for_user::<Stack>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Stack", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Stack" });
-
-      let build_query = list_resource_ids_for_user::<Build>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Build", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Build" });
-
-      let repo_query = list_resource_ids_for_user::<Repo>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Repo", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Repo" });
-
-      let procedure_query = list_resource_ids_for_user::<Procedure>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Procedure", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Procedure" });
-
-      let action_query = list_resource_ids_for_user::<Action>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Action", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Action" });
-
-      let builder_query = list_resource_ids_for_user::<Builder>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Builder", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Builder" });
-
-      let alerter_query = list_resource_ids_for_user::<Alerter>(
-        None,
-        user,
-        PermissionLevel::Read.into(),
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "Alerter", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "Alerter" });
-
-      let resource_sync_query =
-        list_resource_ids_for_user::<ResourceSync>(
-          None,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "ResourceSync", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
-
-      let mut query = self.query.unwrap_or_default();
-      query.extend(doc! {
-        "$or": [
-          server_query,
-          deployment_query,
-          stack_query,
-          build_query,
-          repo_query,
-          procedure_query,
-          action_query,
-          alerter_query,
-          builder_query,
-          resource_sync_query,
-        ]
-      });
-      query.into()
-    };
+  ) -> mogh_error::Result<ListUpdatesResponse> {
+    let query = user_resource_target_query(user, self.query).await?;
 
     let usernames = find_collect(&db_client().users, None, None)
       .await
@@ -252,7 +92,7 @@ impl Resolve<ReadArgs> for GetUpdate {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let update = find_one_by_id(&db_client().updates, &self.id)
       .await
       .context("failed to query to db")?
@@ -260,93 +100,12 @@ impl Resolve<ReadArgs> for GetUpdate {
     if user.admin || core_config().transparent_mode {
       return Ok(update);
     }
-    match &update.target {
-      ResourceTarget::System(_) => {
-        return Err(
-          anyhow!("user must be admin to view system updates").into(),
-        );
-      }
-      ResourceTarget::Server(id) => {
-        get_check_permissions::<Server>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Deployment(id) => {
-        get_check_permissions::<Deployment>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Build(id) => {
-        get_check_permissions::<Build>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Repo(id) => {
-        get_check_permissions::<Repo>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Builder(id) => {
-        get_check_permissions::<Builder>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        get_check_permissions::<Alerter>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Procedure(id) => {
-        get_check_permissions::<Procedure>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Action(id) => {
-        get_check_permissions::<Action>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::ResourceSync(id) => {
-        get_check_permissions::<ResourceSync>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Stack(id) => {
-        get_check_permissions::<Stack>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-    }
+    check_user_target_access(
+      &update.target,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
     Ok(update)
   }
 }

bin/core/src/api/read/user.rs

@@ -13,7 +13,7 @@ use komodo_client::{
   },
   entities::user::{UserConfig, admin_service_user},
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};
 
@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetUsername {
   async fn resolve(
     self,
     _: &ReadArgs,
-  ) -> serror::Result<GetUsernameResponse> {
+  ) -> mogh_error::Result<GetUsernameResponse> {
     if let Some(user) = admin_service_user(&self.user_id) {
       return Ok(GetUsernameResponse {
         username: user.username,
@@ -53,7 +53,7 @@ impl Resolve<ReadArgs> for FindUser {
   async fn resolve(
     self,
     ReadArgs { user: admin }: &ReadArgs,
-  ) -> serror::Result<FindUserResponse> {
+  ) -> mogh_error::Result<FindUserResponse> {
     if !admin.admin {
       return Err(anyhow!("This method is admin only.").into());
     }
@@ -65,7 +65,7 @@ impl Resolve<ReadArgs> for ListUsers {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUsersResponse> {
+  ) -> mogh_error::Result<ListUsersResponse> {
     if !user.admin {
       return Err(
         anyhow!("this route is only accessable by admins").into(),
@@ -87,7 +87,7 @@ impl Resolve<ReadArgs> for ListApiKeys {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListApiKeysResponse> {
+  ) -> mogh_error::Result<ListApiKeysResponse> {
     let api_keys = find_collect(
       &db_client().api_keys,
       doc! { "user_id": &user.id },
@@ -109,7 +109,7 @@ impl Resolve<ReadArgs> for ListApiKeysForServiceUser {
   async fn resolve(
     self,
     ReadArgs { user: admin }: &ReadArgs,
-  ) -> serror::Result<ListApiKeysForServiceUserResponse> {
+  ) -> mogh_error::Result<ListApiKeysForServiceUserResponse> {
     if !admin.admin {
       return Err(anyhow!("This method is admin only.").into());
     }

bin/core/src/api/read/user_group.rs

@@ -9,7 +9,7 @@ use database::mungos::{
   },
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::state::db_client;
 
@@ -19,7 +19,7 @@ impl Resolve<ReadArgs> for GetUserGroup {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetUserGroupResponse> {
+  ) -> mogh_error::Result<GetUserGroupResponse> {
     let mut filter = match ObjectId::from_str(&self.user_group) {
       Ok(id) => doc! { "_id": id },
       Err(_) => doc! { "name": &self.user_group },
@@ -43,7 +43,7 @@ impl Resolve<ReadArgs> for ListUserGroups {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUserGroupsResponse> {
+  ) -> mogh_error::Result<ListUserGroupsResponse> {
     let mut filter = Document::new();
     if !user.admin {
       filter.insert("users", &user.id);

bin/core/src/api/read/variable.rs

@@ -4,7 +4,7 @@ use database::mungos::{
   find::find_collect, mongodb::options::FindOptions,
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{helpers::query::get_variable, state::db_client};
 
@@ -14,7 +14,7 @@ impl Resolve<ReadArgs> for GetVariable {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetVariableResponse> {
+  ) -> mogh_error::Result<GetVariableResponse> {
     let mut variable = get_variable(&self.name).await?;
     if !variable.is_secret || user.admin {
       return Ok(variable);
@@ -28,7 +28,7 @@ impl Resolve<ReadArgs> for ListVariables {
   async fn resolve(
     self,
     ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListVariablesResponse> {
+  ) -> mogh_error::Result<ListVariablesResponse> {
     let variables = find_collect(
       &db_client().variables,
       None,

bin/core/src/api/terminal.rs

@@ -1,16 +1,19 @@
 use anyhow::Context;
 use axum::{Extension, Router, middleware, routing::post};
 use komodo_client::{api::terminal::*, entities::user::User};
-use serror::Json;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
 
 use crate::{
-  auth::auth_request, helpers::terminal::setup_target_for_user,
+  auth::KomodoAuthImpl, helpers::terminal::setup_target_for_user,
 };
 
 pub fn router() -> Router {
   Router::new()
     .route("/execute", post(execute_terminal))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }
 
 // =================
@@ -35,8 +38,11 @@ async fn execute_terminal(
     command,
     init,
   }): Json<ExecuteTerminalBody>,
-) -> serror::Result<axum::body::Body> {
-  info!("/terminal/execute request | user: {}", user.username);
+) -> mogh_error::Result<axum::body::Body> {
+  info!(
+    "TERMINAL EXECUTE REQUEST | USER: {} ({})",
+    user.username, user.id
+  );
 
   let (target, terminal, periphery) =
     setup_target_for_user(target, terminal, init, &user).await?;

bin/core/src/api/user.rs

@@ -1,209 +0,0 @@
-use std::{collections::VecDeque, time::Instant};
-
-use anyhow::{Context, anyhow};
-use axum::{
-  Extension, Json, Router, extract::Path, middleware, routing::post,
-};
-use database::mongo_indexed::doc;
-use database::mungos::{
-  by_id::update_one_by_id, mongodb::bson::to_bson,
-};
-use derive_variants::EnumVariants;
-use komodo_client::entities::random_string;
-use komodo_client::{
-  api::user::*,
-  entities::{api_key::ApiKey, komodo_timestamp, user::User},
-};
-use resolver_api::Resolve;
-use response::Response;
-use serde::{Deserialize, Serialize};
-use serde_json::json;
-use typeshare::typeshare;
-use uuid::Uuid;
-
-use crate::{
-  auth::auth_request, helpers::query::get_user, state::db_client,
-};
-
-use super::Variant;
-
-pub struct UserArgs {
-  pub user: User,
-}
-
-#[typeshare]
-#[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
-)]
-#[args(UserArgs)]
-#[response(Response)]
-#[error(serror::Error)]
-#[serde(tag = "type", content = "params")]
-enum UserRequest {
-  PushRecentlyViewed(PushRecentlyViewed),
-  SetLastSeenUpdate(SetLastSeenUpdate),
-  CreateApiKey(CreateApiKey),
-  DeleteApiKey(DeleteApiKey),
-}
-
-pub fn router() -> Router {
-  Router::new()
-    .route("/", post(handler))
-    .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
-}
-
-async fn variant_handler(
-  user: Extension<User>,
-  Path(Variant { variant }): Path<Variant>,
-  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
-  let req: UserRequest = serde_json::from_value(json!({
-    "type": variant,
-    "params": params,
-  }))?;
-  handler(user, Json(req)).await
-}
-
-async fn handler(
-  Extension(user): Extension<User>,
-  Json(request): Json<UserRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
-  let req_id = Uuid::new_v4();
-  debug!(
-    "/user request {req_id} | user: {} ({})",
-    user.username, user.id
-  );
-  let res = request.resolve(&UserArgs { user }).await;
-  if let Err(e) = &res {
-    warn!("/user request {req_id} error: {:#}", e.error);
-  }
-  let elapsed = timer.elapsed();
-  debug!("/user request {req_id} | resolve time: {elapsed:?}");
-  res.map(|res| res.0)
-}
-
-const RECENTLY_VIEWED_MAX: usize = 10;
-
-impl Resolve<UserArgs> for PushRecentlyViewed {
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<PushRecentlyViewedResponse> {
-    let user = get_user(&user.id).await?;
-
-    let (resource_type, id) = self.resource.extract_variant_id();
-    let update = match user.recents.get(&resource_type) {
-      Some(recents) => {
-        let mut recents = recents
-          .iter()
-          .filter(|_id| !id.eq(*_id))
-          .take(RECENTLY_VIEWED_MAX - 1)
-          .collect::<VecDeque<_>>();
-        recents.push_front(id);
-        doc! { format!("recents.{resource_type}"): to_bson(&recents)? }
-      }
-      None => {
-        doc! { format!("recents.{resource_type}"): [id] }
-      }
-    };
-    update_one_by_id(
-      &db_client().users,
-      &user.id,
-      database::mungos::update::Update::Set(update),
-      None,
-    )
-    .await
-    .with_context(|| {
-      format!("failed to update recents.{resource_type}")
-    })?;
-
-    Ok(PushRecentlyViewedResponse {})
-  }
-}
-
-impl Resolve<UserArgs> for SetLastSeenUpdate {
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<SetLastSeenUpdateResponse> {
-    update_one_by_id(
-      &db_client().users,
-      &user.id,
-      database::mungos::update::Update::Set(doc! {
-        "last_update_view": komodo_timestamp()
-      }),
-      None,
-    )
-    .await
-    .context("failed to update user last_update_view")?;
-    Ok(SetLastSeenUpdateResponse {})
-  }
-}
-
-const SECRET_LENGTH: usize = 40;
-const BCRYPT_COST: u32 = 10;
-
-impl Resolve<UserArgs> for CreateApiKey {
-  #[instrument(
-    "CreateApiKey",
-    skip_all,
-    fields(operator = user.id)
-  )]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<CreateApiKeyResponse> {
-    let user = get_user(&user.id).await?;
-
-    let key = format!("K-{}", random_string(SECRET_LENGTH));
-    let secret = format!("S-{}", random_string(SECRET_LENGTH));
-    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
-      .context("failed at hashing secret string")?;
-
-    let api_key = ApiKey {
-      name: self.name,
-      key: key.clone(),
-      secret: secret_hash,
-      user_id: user.id.clone(),
-      created_at: komodo_timestamp(),
-      expires: self.expires,
-    };
-    db_client()
-      .api_keys
-      .insert_one(api_key)
-      .await
-      .context("failed to create api key on db")?;
-    Ok(CreateApiKeyResponse { key, secret })
-  }
-}
-
-impl Resolve<UserArgs> for DeleteApiKey {
-  #[instrument(
-    "DeleteApiKey",
-    skip_all,
-    fields(operator = user.id)
-  )]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<DeleteApiKeyResponse> {
-    let client = db_client();
-    let key = client
-      .api_keys
-      .find_one(doc! { "key": &self.key })
-      .await
-      .context("failed at db query")?
-      .context("no api key with key found")?;
-    if user.id != key.user_id {
-      return Err(anyhow!("api key does not belong to user").into());
-    }
-    client
-      .api_keys
-      .delete_one(doc! { "key": key.key })
-      .await
-      .context("failed to delete api key from db")?;
-    Ok(DeleteApiKeyResponse {})
-  }
-}

bin/core/src/api/write/action.rs

@@ -4,7 +4,7 @@ use komodo_client::{
     action::Action, permission::PermissionLevel, update::Update,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{permission::get_check_permissions, resource};
 
@@ -23,7 +23,7 @@ impl Resolve<WriteArgs> for CreateAction {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
     resource::create::<Action>(&self.name, self.config, None, user)
       .await
   }
@@ -42,7 +42,7 @@ impl Resolve<WriteArgs> for CopyAction {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
     let Action { config, .. } = get_check_permissions::<Action>(
       &self.id,
       user,
@@ -67,7 +67,7 @@ impl Resolve<WriteArgs> for UpdateAction {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
     Ok(resource::update::<Action>(&self.id, self.config, user).await?)
   }
 }
@@ -85,7 +85,7 @@ impl Resolve<WriteArgs> for RenameAction {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Action>(&self.id, &self.name, user).await?)
   }
 }
@@ -102,7 +102,7 @@ impl Resolve<WriteArgs> for DeleteAction {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
     Ok(resource::delete::<Action>(&self.id, user).await?)
   }
 }

bin/core/src/api/write/alert.rs

@@ -3,9 +3,9 @@ use std::str::FromStr;
 use anyhow::{Context, anyhow};
 use database::mungos::mongodb::bson::{doc, oid::ObjectId};
 use komodo_client::{api::write::CloseAlert, entities::NoData};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{api::write::WriteArgs, state::db_client};
 

bin/core/src/api/write/alerter.rs

@@ -4,7 +4,7 @@ use komodo_client::{
     alerter::Alerter, permission::PermissionLevel, update::Update,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{permission::get_check_permissions, resource};
 
@@ -23,7 +23,7 @@ impl Resolve<WriteArgs> for CreateAlerter {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
     resource::create::<Alerter>(&self.name, self.config, None, user)
       .await
   }
@@ -42,7 +42,7 @@ impl Resolve<WriteArgs> for CopyAlerter {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
     let Alerter { config, .. } = get_check_permissions::<Alerter>(
       &self.id,
       user,
@@ -66,7 +66,7 @@ impl Resolve<WriteArgs> for DeleteAlerter {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
     Ok(resource::delete::<Alerter>(&self.id, user).await?)
   }
 }
@@ -84,7 +84,7 @@ impl Resolve<WriteArgs> for UpdateAlerter {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
     Ok(
       resource::update::<Alerter>(&self.id, self.config, user)
         .await?,
@@ -105,7 +105,7 @@ impl Resolve<WriteArgs> for RenameAlerter {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Alerter>(&self.id, &self.name, user).await?)
   }
 }

bin/core/src/api/write/build.rs

@@ -19,10 +19,10 @@ use komodo_client::{
     update::Update,
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api::build::{
   GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
 };
-use resolver_api::Resolve;
 use tokio::fs;
 
 use crate::{
@@ -54,7 +54,7 @@ impl Resolve<WriteArgs> for CreateBuild {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
     resource::create::<Build>(&self.name, self.config, None, user)
       .await
   }
@@ -73,7 +73,7 @@ impl Resolve<WriteArgs> for CopyBuild {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
     let Build { mut config, .. } = get_check_permissions::<Build>(
       &self.id,
       user,
@@ -99,7 +99,7 @@ impl Resolve<WriteArgs> for DeleteBuild {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
     Ok(resource::delete::<Build>(&self.id, user).await?)
   }
 }
@@ -117,7 +117,7 @@ impl Resolve<WriteArgs> for UpdateBuild {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
     Ok(resource::update::<Build>(&self.id, self.config, user).await?)
   }
 }
@@ -135,7 +135,7 @@ impl Resolve<WriteArgs> for RenameBuild {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Build>(&self.id, &self.name, user).await?)
   }
 }
@@ -149,7 +149,10 @@ impl Resolve<WriteArgs> for WriteBuildFileContents {
       build = self.build,
     )
   )]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> mogh_error::Result<Update> {
     let build = get_check_permissions::<Build>(
       &self.build,
       &args.user,
@@ -226,7 +229,7 @@ async fn write_dockerfile_contents_git(
   args: &WriteArgs,
   build: Build,
   mut update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   let WriteBuildFileContents { build: _, contents } = req;
 
   let mut repo_args: RepoExecutionArgs = if !build
@@ -318,7 +321,7 @@ async fn write_dockerfile_contents_git(
     return Ok(update);
   }
 
-  if let Err(e) = secret_file::write_async(&full_path, &contents)
+  if let Err(e) = mogh_secret_file::write_async(&full_path, &contents)
     .await
     .with_context(|| {
       format!("Failed to write dockerfile contents to {full_path:?}")
@@ -370,7 +373,7 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // build should be able to do this.
     let build = get_check_permissions::<Build>(

bin/core/src/api/write/builder.rs

@@ -4,7 +4,7 @@ use komodo_client::{
     builder::Builder, permission::PermissionLevel, update::Update,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{permission::get_check_permissions, resource};
 
@@ -23,7 +23,7 @@ impl Resolve<WriteArgs> for CreateBuilder {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
     resource::create::<Builder>(&self.name, self.config, None, user)
       .await
   }
@@ -42,7 +42,7 @@ impl Resolve<WriteArgs> for CopyBuilder {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
     let Builder { config, .. } = get_check_permissions::<Builder>(
       &self.id,
       user,
@@ -66,7 +66,7 @@ impl Resolve<WriteArgs> for DeleteBuilder {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
     Ok(resource::delete::<Builder>(&self.id, user).await?)
   }
 }
@@ -84,7 +84,7 @@ impl Resolve<WriteArgs> for UpdateBuilder {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
     Ok(
       resource::update::<Builder>(&self.id, self.config, user)
         .await?,
@@ -105,7 +105,7 @@ impl Resolve<WriteArgs> for RenameBuilder {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Builder>(&self.id, &self.name, user).await?)
   }
 }

bin/core/src/api/write/deployment.rs

@@ -1,33 +1,48 @@
+use std::sync::OnceLock;
+
 use anyhow::{Context, anyhow};
 use database::mungos::{by_id::update_one_by_id, mongodb::bson::doc};
+use futures_util::{StreamExt as _, stream::FuturesOrdered};
 use komodo_client::{
-  api::write::*,
+  api::{execute::Deploy, write::*},
   entities::{
-    Operation,
+    Operation, ResourceTarget, SwarmOrServer,
+    alert::{Alert, AlertData, SeverityLevel},
     deployment::{
-      Deployment, DeploymentImage, DeploymentState,
-      PartialDeploymentConfig, RestartMode,
+      Deployment, DeploymentImage, DeploymentInfo, DeploymentState,
+      PartialDeploymentConfig, RestartMode, extract_registry_domain,
     },
     docker::container::RestartPolicyNameEnum,
-    komodo_timestamp,
+    komodo_timestamp, optional_string,
     permission::PermissionLevel,
     server::{Server, ServerState},
     to_container_compatible_name,
     update::Update,
+    user::{auto_redeploy_user, system_user},
   },
 };
+use mogh_cache::SetCache;
+use mogh_resolver::Resolve;
 use periphery_client::api::{self, container::InspectContainer};
-use resolver_api::Resolve;
 
 use crate::{
+  alert::send_alerts,
+  api::execute::{self, ExecuteRequest, ExecutionResult},
   helpers::{
     periphery_client,
-    query::get_deployment_state,
-    update::{add_update, make_update},
+    query::{get_deployment_state, get_swarm_or_server},
+    registry_token,
+    update::{add_update, make_update, poll_update_until_complete},
   },
   permission::get_check_permissions,
-  resource,
-  state::{action_states, db_client, server_status_cache},
+  resource::{
+    self, list_full_for_user_using_pattern,
+    setup_deployment_execution,
+  },
+  state::{
+    action_states, db_client, deployment_status_cache,
+    image_digest_cache, server_status_cache,
+  },
 };
 
 use super::WriteArgs;
@@ -45,7 +60,7 @@ impl Resolve<WriteArgs> for CreateDeployment {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
     resource::create::<Deployment>(
       &self.name,
       self.config,
@@ -69,7 +84,7 @@ impl Resolve<WriteArgs> for CopyDeployment {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
     let Deployment { config, .. } =
       get_check_permissions::<Deployment>(
         &self.id,
@@ -100,7 +115,7 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,
@@ -201,7 +216,7 @@ impl Resolve<WriteArgs> for DeleteDeployment {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
     Ok(resource::delete::<Deployment>(&self.id, user).await?)
   }
 }
@@ -219,11 +234,35 @@ impl Resolve<WriteArgs> for UpdateDeployment {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
-    Ok(
+  ) -> mogh_error::Result<Deployment> {
+    // If the update changes image,
+    // also update the stored latest image digest.
+    let image_update = self
+      .config
+      .image
+      .as_ref()
+      .map(|image| image.as_image().is_some())
+      .unwrap_or_default();
+
+    let deployment =
       resource::update::<Deployment>(&self.id, self.config, user)
-        .await?,
-    )
+        .await?;
+
+    if image_update {
+      tokio::spawn(async move {
+        let _ = (CheckDeploymentForUpdate {
+          deployment: self.id,
+          skip_auto_update: false,
+          wait_for_auto_update: false,
+        })
+        .resolve(&WriteArgs {
+          user: system_user().to_owned(),
+        })
+        .await;
+      });
+    }
+
+    Ok(deployment)
   }
 }
 
@@ -240,7 +279,7 @@ impl Resolve<WriteArgs> for RenameDeployment {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let deployment = get_check_permissions::<Deployment>(
       &self.id,
       user,
@@ -314,3 +353,322 @@ impl Resolve<WriteArgs> for RenameDeployment {
     Ok(update)
   }
 }
+
+//
+
+impl Resolve<WriteArgs> for CheckDeploymentForUpdate {
+  #[instrument(
+    "CheckDeploymentForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.deployment,
+      skip_auto_update = self.skip_auto_update,
+      wait_for_auto_update = self.wait_for_auto_update,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Self::Response> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // deployment should be able to do this.
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    swarm_or_server.verify_has_target()?;
+
+    check_deployment_for_update_inner(
+      deployment,
+      &swarm_or_server,
+      self.skip_auto_update,
+      self.wait_for_auto_update,
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+/// If it goes down the "update available" path,
+/// only send alert if deployment id is not in this cache.
+/// If alert is sent, add ID to cache.
+/// If later it goes down non "update available" path,
+/// remove the id from cache, so next time it does another alert
+/// will be sent.
+fn deployment_alert_sent_cache() -> &'static SetCache<String> {
+  static CACHE: OnceLock<SetCache<String>> = OnceLock::new();
+  CACHE.get_or_init(Default::default)
+}
+
+/// Checks remote registry for latest image digest,
+/// and saves it to database associated with the deployment.
+///
+/// Returns true if update is available and auto deploy is false.
+/// If auto deploy is true, this will deploy.
+#[instrument(
+  "CheckDeploymentForUpdateInner",
+  skip_all,
+  fields(
+    deployment = deployment.id,
+    skip_auto_update,
+    wait_for_auto_update,
+  )
+)]
+pub async fn check_deployment_for_update_inner(
+  deployment: Deployment,
+  swarm_or_server: &SwarmOrServer,
+  skip_auto_update: bool,
+  // Otherwise spawns task to run in background
+  wait_for_auto_update: bool,
+) -> anyhow::Result<CheckDeploymentForUpdateResponse> {
+  let alert_cache = deployment_alert_sent_cache();
+
+  let (image, account, token) = match &deployment.config.image {
+    DeploymentImage::Image { image } => {
+      if image.contains('@') {
+        // Images with a hardcoded digest can't have update.
+        return Ok(CheckDeploymentForUpdateResponse {
+          deployment: deployment.id,
+          update_available: false,
+        });
+      }
+      let domain = extract_registry_domain(&image)?;
+      let account =
+        optional_string(&deployment.config.image_registry_account);
+      let token = if let Some(account) = &account {
+        registry_token(&domain, account).await?
+      } else {
+        None
+      };
+      (image, account, token)
+    }
+    DeploymentImage::Build { .. } => {
+      alert_cache.remove(&deployment.id).await;
+      // This method not used for build based deployments
+      // as deployed version vs built version can be inferred from Updates.
+      return Ok(CheckDeploymentForUpdateResponse {
+        deployment: deployment.id,
+        update_available: false,
+      });
+    }
+  };
+
+  let latest_digest = image_digest_cache()
+    .get(&swarm_or_server, &image, account, token)
+    .await?;
+
+  resource::update_info::<Deployment>(
+    &deployment.id,
+    &DeploymentInfo {
+      latest_image_digest: latest_digest.clone(),
+    },
+  )
+  .await?;
+
+  let Some((state, Some(current_digests))) =
+    deployment_status_cache()
+      .get(&deployment.id)
+      .await
+      .map(|s| (s.curr.state, s.curr.image_digests.clone()))
+  else {
+    alert_cache.remove(&deployment.id).await;
+    return Ok(CheckDeploymentForUpdateResponse {
+      deployment: deployment.id,
+      update_available: false,
+    });
+  };
+
+  // If not running or latest digest matches current, early return
+  if !matches!(state, DeploymentState::Running)
+    || !latest_digest.update_available(&current_digests)
+  {
+    alert_cache.remove(&deployment.id).await;
+    return Ok(CheckDeploymentForUpdateResponse {
+      deployment: deployment.id,
+      update_available: false,
+    });
+  }
+
+  if !skip_auto_update && deployment.config.auto_update {
+    // Trigger deploy + alert
+
+    // Conservatively remove from alert cache so 'skip_auto_update'
+    // doesn't cause alerts not to be sent on subsequent calls.
+    alert_cache.remove(&deployment.id).await;
+
+    let swarm_id = swarm_or_server.swarm_id().map(str::to_string);
+    let swarm_name = swarm_or_server.swarm_name().map(str::to_string);
+    let server_id = swarm_or_server.server_id().map(str::to_string);
+    let server_name =
+      swarm_or_server.server_name().map(str::to_string);
+    let id = deployment.id.clone();
+    let name = deployment.name.clone();
+    let image = image.clone();
+
+    let run = async move {
+      match execute::inner_handler(
+        ExecuteRequest::Deploy(Deploy {
+          deployment: name.clone(),
+          stop_signal: None,
+          stop_time: None,
+        }),
+        auto_redeploy_user().to_owned(),
+      )
+      .await
+      {
+        Ok(res) => {
+          let ExecutionResult::Single(update) = res else {
+            unreachable!()
+          };
+          let Ok(update) =
+            poll_update_until_complete(&update.id).await
+          else {
+            return;
+          };
+          if update.success {
+            let ts = komodo_timestamp();
+            let alert = Alert {
+              id: Default::default(),
+              ts,
+              resolved: true,
+              resolved_ts: ts.into(),
+              level: SeverityLevel::Ok,
+              target: ResourceTarget::Deployment(id.clone()),
+              data: AlertData::DeploymentAutoUpdated {
+                id,
+                name,
+                swarm_id,
+                swarm_name,
+                server_id,
+                server_name,
+                image,
+              },
+            };
+            let res = db_client().alerts.insert_one(&alert).await;
+            if let Err(e) = res {
+              error!(
+                "Failed to record DeploymentAutoUpdated to db | {e:#}"
+              );
+            }
+            send_alerts(&[alert]).await;
+          }
+        }
+        Err(e) => {
+          warn!("Failed to auto update Deployment {name} | {e:#}",)
+        }
+      }
+    };
+
+    if wait_for_auto_update {
+      run.await
+    } else {
+      tokio::spawn(run);
+    }
+  } else {
+    // Avoid spamming alerts
+    if alert_cache.contains(&deployment.id).await {
+      return Ok(CheckDeploymentForUpdateResponse {
+        deployment: deployment.id,
+        update_available: true,
+      });
+    }
+    alert_cache.insert(deployment.id.clone()).await;
+    let ts = komodo_timestamp();
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      resolved_ts: ts.into(),
+      level: SeverityLevel::Ok,
+      target: ResourceTarget::Deployment(deployment.id.clone()),
+      data: AlertData::DeploymentImageUpdateAvailable {
+        id: deployment.id.clone(),
+        name: deployment.name.clone(),
+        swarm_id: swarm_or_server.swarm_id().map(str::to_string),
+        swarm_name: swarm_or_server.swarm_name().map(str::to_string),
+        server_id: swarm_or_server.server_id().map(str::to_string),
+        server_name: swarm_or_server
+          .server_name()
+          .map(str::to_string),
+        image: image.clone(),
+      },
+    };
+    let res = db_client().alerts.insert_one(&alert).await;
+    if let Err(e) = res {
+      error!(
+        "Failed to record DeploymentImageUpdateAvailable to db | {e:#}"
+      );
+    }
+    send_alerts(&[alert]).await;
+  }
+
+  Ok(CheckDeploymentForUpdateResponse {
+    deployment: deployment.id,
+    update_available: !deployment.config.auto_update,
+  })
+}
+
+//
+
+impl Resolve<WriteArgs> for BatchCheckDeploymentForUpdate {
+  #[instrument(
+    "BatchCheckDeploymentForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      pattern = self.pattern,
+      skip_auto_update = self.skip_auto_update,
+      wait_for_auto_update = self.wait_for_auto_update,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let deployments = list_full_for_user_using_pattern::<Deployment>(
+      &self.pattern,
+      Default::default(),
+      user,
+      PermissionLevel::Execute.into(),
+      &[],
+    )
+    .await?;
+
+    let res = deployments
+      .into_iter()
+      .map(|deployment| async move {
+        let swarm_or_server = get_swarm_or_server(
+          &deployment.config.swarm_id,
+          &deployment.config.server_id,
+        )
+        .await?;
+        swarm_or_server.verify_has_target().map_err(|e| e.error)?;
+        check_deployment_for_update_inner(
+          deployment,
+          &swarm_or_server,
+          self.skip_auto_update,
+          self.wait_for_auto_update,
+        )
+        .await
+      })
+      .collect::<FuturesOrdered<_>>()
+      .collect::<Vec<_>>()
+      .await
+      .into_iter()
+      .filter_map(|res| {
+        res
+          .inspect_err(|e| {
+            warn!(
+              "Failed to check deployment for update in batch run | {e:#}"
+            )
+          })
+          .ok()
+      })
+      .collect();
+    Ok(res)
+  }
+}

bin/core/src/api/write/mod.rs

@@ -2,18 +2,19 @@ use anyhow::Context;
 use axum::{
   Extension, Router, extract::Path, middleware, routing::post,
 };
-use derive_variants::{EnumVariants, ExtractVariant};
 use komodo_client::{api::write::*, entities::user::User};
-use resolver_api::Resolve;
-use response::Response;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_error::Response;
+use mogh_resolver::Resolve;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
 use strum::Display;
+use strum::EnumDiscriminants;
 use typeshare::typeshare;
 use uuid::Uuid;
 
-use crate::auth::auth_request;
+use crate::auth::KomodoAuthImpl;
 
 use super::Variant;
 
@@ -23,7 +24,7 @@ mod alerter;
 mod build;
 mod builder;
 mod deployment;
-mod onboarding_key;
+mod onboarding;
 mod permissions;
 mod procedure;
 mod provider;
@@ -32,6 +33,7 @@ mod resource;
 mod server;
 mod service_user;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
 mod terminal;
@@ -39,50 +41,35 @@ mod user;
 mod user_group;
 mod variable;
 
+pub use {
+  deployment::check_deployment_for_update_inner,
+  stack::check_stack_for_update_inner,
+};
+
 pub struct WriteArgs {
   pub user: User,
 }
 
 #[typeshare]
 #[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
 )]
-#[variant_derive(Debug, Display)]
+#[strum_discriminants(name(WriteRequestVariant), derive(Display))]
 #[args(WriteArgs)]
 #[response(Response)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum WriteRequest {
-  // ==== USER ====
-  CreateLocalUser(CreateLocalUser),
-  UpdateUserUsername(UpdateUserUsername),
-  UpdateUserPassword(UpdateUserPassword),
-  DeleteUser(DeleteUser),
-
-  // ==== SERVICE USER ====
-  CreateServiceUser(CreateServiceUser),
-  UpdateServiceUserDescription(UpdateServiceUserDescription),
-  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
-  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
-
-  // ==== USER GROUP ====
-  CreateUserGroup(CreateUserGroup),
-  RenameUserGroup(RenameUserGroup),
-  DeleteUserGroup(DeleteUserGroup),
-  AddUserToUserGroup(AddUserToUserGroup),
-  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
-  SetUsersInUserGroup(SetUsersInUserGroup),
-  SetEveryoneUserGroup(SetEveryoneUserGroup),
-
-  // ==== PERMISSIONS ====
-  UpdateUserAdmin(UpdateUserAdmin),
-  UpdateUserBasePermissions(UpdateUserBasePermissions),
-  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
-  UpdatePermissionOnTarget(UpdatePermissionOnTarget),
-
   // ==== RESOURCE ====
   UpdateResourceMeta(UpdateResourceMeta),
 
+  // ==== SWARM ====
+  CreateSwarm(CreateSwarm),
+  CopySwarm(CopySwarm),
+  DeleteSwarm(DeleteSwarm),
+  UpdateSwarm(UpdateSwarm),
+  RenameSwarm(RenameSwarm),
+
   // ==== SERVER ====
   CreateServer(CreateServer),
   CopyServer(CopyServer),
@@ -93,6 +80,12 @@ pub enum WriteRequest {
   UpdateServerPublicKey(UpdateServerPublicKey),
   RotateServerKeys(RotateServerKeys),
 
+  // ==== TERMINAL ====
+  CreateTerminal(CreateTerminal),
+  DeleteTerminal(DeleteTerminal),
+  DeleteAllTerminals(DeleteAllTerminals),
+  BatchDeleteAllTerminals(BatchDeleteAllTerminals),
+
   // ==== STACK ====
   CreateStack(CreateStack),
   CopyStack(CopyStack),
@@ -101,6 +94,8 @@ pub enum WriteRequest {
   RenameStack(RenameStack),
   WriteStackFileContents(WriteStackFileContents),
   RefreshStackCache(RefreshStackCache),
+  CheckStackForUpdate(CheckStackForUpdate),
+  BatchCheckStackForUpdate(BatchCheckStackForUpdate),
 
   // ==== DEPLOYMENT ====
   CreateDeployment(CreateDeployment),
@@ -109,6 +104,8 @@ pub enum WriteRequest {
   DeleteDeployment(DeleteDeployment),
   UpdateDeployment(UpdateDeployment),
   RenameDeployment(RenameDeployment),
+  CheckDeploymentForUpdate(CheckDeploymentForUpdate),
+  BatchCheckDeploymentForUpdate(BatchCheckDeploymentForUpdate),
 
   // ==== BUILD ====
   CreateBuild(CreateBuild),
@@ -119,13 +116,6 @@ pub enum WriteRequest {
   WriteBuildFileContents(WriteBuildFileContents),
   RefreshBuildCache(RefreshBuildCache),
 
-  // ==== BUILDER ====
-  CreateBuilder(CreateBuilder),
-  CopyBuilder(CopyBuilder),
-  DeleteBuilder(DeleteBuilder),
-  UpdateBuilder(UpdateBuilder),
-  RenameBuilder(RenameBuilder),
-
   // ==== REPO ====
   CreateRepo(CreateRepo),
   CopyRepo(CopyRepo),
@@ -134,13 +124,6 @@ pub enum WriteRequest {
   RenameRepo(RenameRepo),
   RefreshRepoCache(RefreshRepoCache),
 
-  // ==== ALERTER ====
-  CreateAlerter(CreateAlerter),
-  CopyAlerter(CopyAlerter),
-  DeleteAlerter(DeleteAlerter),
-  UpdateAlerter(UpdateAlerter),
-  RenameAlerter(RenameAlerter),
-
   // ==== PROCEDURE ====
   CreateProcedure(CreateProcedure),
   CopyProcedure(CopyProcedure),
@@ -165,11 +148,51 @@ pub enum WriteRequest {
   CommitSync(CommitSync),
   RefreshResourceSyncPending(RefreshResourceSyncPending),
 
-  // ==== TERMINAL ====
-  CreateTerminal(CreateTerminal),
-  DeleteTerminal(DeleteTerminal),
-  DeleteAllTerminals(DeleteAllTerminals),
-  BatchDeleteAllTerminals(BatchDeleteAllTerminals),
+  // ==== BUILDER ====
+  CreateBuilder(CreateBuilder),
+  CopyBuilder(CopyBuilder),
+  DeleteBuilder(DeleteBuilder),
+  UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
+
+  // ==== ALERTER ====
+  CreateAlerter(CreateAlerter),
+  CopyAlerter(CopyAlerter),
+  DeleteAlerter(DeleteAlerter),
+  UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
+
+  // ==== ONBOARDING KEY ====
+  CreateOnboardingKey(CreateOnboardingKey),
+  UpdateOnboardingKey(UpdateOnboardingKey),
+  DeleteOnboardingKey(DeleteOnboardingKey),
+
+  // ==== USER ====
+  PushRecentlyViewed(PushRecentlyViewed),
+  SetLastSeenUpdate(SetLastSeenUpdate),
+  CreateLocalUser(CreateLocalUser),
+  DeleteUser(DeleteUser),
+
+  // ==== SERVICE USER ====
+  CreateServiceUser(CreateServiceUser),
+  UpdateServiceUserDescription(UpdateServiceUserDescription),
+  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
+  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
+
+  // ==== USER GROUP ====
+  CreateUserGroup(CreateUserGroup),
+  RenameUserGroup(RenameUserGroup),
+  DeleteUserGroup(DeleteUserGroup),
+  AddUserToUserGroup(AddUserToUserGroup),
+  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
+  SetUsersInUserGroup(SetUsersInUserGroup),
+  SetEveryoneUserGroup(SetEveryoneUserGroup),
+
+  // ==== PERMISSIONS ====
+  UpdateUserAdmin(UpdateUserAdmin),
+  UpdateUserBasePermissions(UpdateUserBasePermissions),
+  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
+  UpdatePermissionOnTarget(UpdatePermissionOnTarget),
 
   // ==== TAG ====
   CreateTag(CreateTag),
@@ -192,11 +215,6 @@ pub enum WriteRequest {
   UpdateDockerRegistryAccount(UpdateDockerRegistryAccount),
   DeleteDockerRegistryAccount(DeleteDockerRegistryAccount),
 
-  // ==== ONBOARDING KEY ====
-  CreateOnboardingKey(CreateOnboardingKey),
-  UpdateOnboardingKey(UpdateOnboardingKey),
-  DeleteOnboardingKey(DeleteOnboardingKey),
-
   // ==== ALERT ====
   CloseAlert(CloseAlert),
 }
@@ -205,14 +223,16 @@ pub fn router() -> Router {
   Router::new()
     .route("/", post(handler))
     .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }
 
 async fn variant_handler(
   user: Extension<User>,
   Path(Variant { variant }): Path<Variant>,
   Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
+) -> mogh_error::Result<axum::response::Response> {
   let req: WriteRequest = serde_json::from_value(json!({
     "type": variant,
     "params": params,
@@ -223,10 +243,8 @@ async fn variant_handler(
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<WriteRequest>,
-) -> serror::Result<axum::response::Response> {
-  let req_id = Uuid::new_v4();
-
-  let res = tokio::spawn(task(req_id, request, user))
+) -> mogh_error::Result<axum::response::Response> {
+  let res = tokio::spawn(task(request, user))
     .await
     .context("failure in spawned task");
 
@@ -234,18 +252,22 @@ async fn handler(
 }
 
 async fn task(
-  req_id: Uuid,
   request: WriteRequest,
   user: User,
-) -> serror::Result<axum::response::Response> {
-  let variant = request.extract_variant();
-  info!("/write request | {variant} | user: {}", user.username);
+) -> mogh_error::Result<axum::response::Response> {
+  let req_id = Uuid::new_v4();
+  let variant: WriteRequestVariant = (&request).into();
+
+  info!(
+    "WRITE REQUEST {req_id} | METHOD: {variant} | USER: {} ({})",
+    user.username, user.id
+  );
 
   let res = request.resolve(&WriteArgs { user }).await;
 
   if let Err(e) = &res {
     warn!(
-      "/write request {req_id} | {variant} | error: {:#}",
+      "WRITE REQUEST {req_id} | METHOD: {variant} | ERROR: {:#}",
       e.error
     );
   }

bin/core/src/api/write/onboarding.rs

@@ -10,10 +10,10 @@ use komodo_client::{
     komodo_timestamp, onboarding_key::OnboardingKey, random_string,
   },
 };
-use noise::key::EncodedKeyPair;
+use mogh_error::{AddStatusCode, AddStatusCodeError};
+use mogh_pki::EncodedKeyPair;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::{AddStatusCode, AddStatusCodeError};
 
 use crate::{api::write::WriteArgs, state::db_client};
 
@@ -35,7 +35,7 @@ impl Resolve<WriteArgs> for CreateOnboardingKey {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<CreateOnboardingKeyResponse> {
+  ) -> mogh_error::Result<CreateOnboardingKeyResponse> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -45,11 +45,14 @@ impl Resolve<WriteArgs> for CreateOnboardingKey {
     let private_key = if let Some(private_key) = self.private_key {
       private_key
     } else {
-      format!("O-{}", random_string(30))
+      format!("O_{}_O", random_string(28))
     };
-    let public_key = EncodedKeyPair::from_private_key(&private_key)?
-      .public
-      .into_inner();
+    let public_key = EncodedKeyPair::from_private_key(
+      mogh_pki::PkiKind::Mutual,
+      &private_key,
+    )?
+    .public
+    .into_inner();
     let onboarding_key = OnboardingKey {
       public_key,
       name: self.name,
@@ -58,6 +61,7 @@ impl Resolve<WriteArgs> for CreateOnboardingKey {
       created_at: komodo_timestamp(),
       expires: self.expires,
       tags: self.tags,
+      fix_existing_servers: self.fix_existing_servers,
       copy_server: self.copy_server,
       create_builder: self.create_builder,
     };
@@ -99,7 +103,7 @@ impl Resolve<WriteArgs> for UpdateOnboardingKey {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdateOnboardingKeyResponse> {
+  ) -> mogh_error::Result<UpdateOnboardingKeyResponse> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -138,6 +142,10 @@ impl Resolve<WriteArgs> for UpdateOnboardingKey {
       update.insert("tags", tags);
     }
 
+    if let Some(fix_existing_servers) = self.fix_existing_servers {
+      update.insert("fix_existing_servers", fix_existing_servers);
+    }
+
     if let Some(copy_server) = self.copy_server {
       update.insert("copy_server", copy_server);
     }
@@ -176,7 +184,7 @@ impl Resolve<WriteArgs> for DeleteOnboardingKey {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<DeleteOnboardingKeyResponse> {
+  ) -> mogh_error::Result<DeleteOnboardingKeyResponse> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")

bin/core/src/api/write/permissions.rs

@@ -8,7 +8,6 @@ use database::mungos::{
     options::UpdateOptions,
   },
 };
-use derive_variants::ExtractVariant as _;
 use komodo_client::{
   api::write::*,
   entities::{
@@ -16,7 +15,7 @@ use komodo_client::{
     permission::{UserTarget, UserTargetVariant},
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{helpers::query::get_user, state::db_client};
 
@@ -35,7 +34,7 @@ impl Resolve<WriteArgs> for UpdateUserAdmin {
   async fn resolve(
     self,
     WriteArgs { user: super_admin }: &WriteArgs,
-  ) -> serror::Result<UpdateUserAdminResponse> {
+  ) -> mogh_error::Result<UpdateUserAdminResponse> {
     if !super_admin.super_admin {
       return Err(
         anyhow!("Only super admins can call this method.").into(),
@@ -83,7 +82,7 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdateUserBasePermissionsResponse> {
+  ) -> mogh_error::Result<UpdateUserBasePermissionsResponse> {
     if !admin.admin {
       return Err(anyhow!("this method is admin only").into());
     }
@@ -149,7 +148,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdatePermissionOnResourceTypeResponse> {
+  ) -> mogh_error::Result<UpdatePermissionOnResourceTypeResponse> {
     if !admin.admin {
       return Err(anyhow!("this method is admin only").into());
     }
@@ -227,7 +226,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdatePermissionOnTargetResponse> {
+  ) -> mogh_error::Result<UpdatePermissionOnTargetResponse> {
     if !admin.admin {
       return Err(anyhow!("this method is admin only").into());
     }
@@ -296,7 +295,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_user_target_with_validation(
   user_target: &UserTarget,
-) -> serror::Result<(UserTargetVariant, String)> {
+) -> mogh_error::Result<(UserTargetVariant, String)> {
   match user_target {
     UserTarget::User(ident) => {
       let filter = match ObjectId::from_str(ident) {
@@ -307,8 +306,8 @@ async fn extract_user_target_with_validation(
         .users
         .find_one(filter)
         .await
-        .context("failed to query db for users")?
-        .context("no matching user found")?
+        .context("Failed to query db for users")?
+        .context("No matching user found")?
         .id;
       Ok((UserTargetVariant::User, id))
     }
@@ -321,8 +320,8 @@ async fn extract_user_target_with_validation(
         .user_groups
         .find_one(filter)
         .await
-        .context("failed to query db for user_groups")?
-        .context("no matching user_group found")?
+        .context("Failed to query db for user_groups")?
+        .context("No matching user_group found")?
         .id;
       Ok((UserTargetVariant::UserGroup, id))
     }
@@ -332,53 +331,25 @@ async fn extract_user_target_with_validation(
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_resource_target_with_validation(
   resource_target: &ResourceTarget,
-) -> serror::Result<(ResourceTargetVariant, String)> {
+) -> mogh_error::Result<(ResourceTargetVariant, String)> {
   match resource_target {
     ResourceTarget::System(_) => {
       let res = resource_target.extract_variant_id();
       Ok((res.0, res.1.clone()))
     }
-    ResourceTarget::Build(ident) => {
+    ResourceTarget::Swarm(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .builds
+        .swarms
         .find_one(filter)
         .await
-        .context("failed to query db for builds")?
-        .context("no matching build found")?
+        .context("Failed to query db for swarms")?
+        .context("No matching server found")?
         .id;
-      Ok((ResourceTargetVariant::Build, id))
-    }
-    ResourceTarget::Builder(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .builders
-        .find_one(filter)
-        .await
-        .context("failed to query db for builders")?
-        .context("no matching builder found")?
-        .id;
-      Ok((ResourceTargetVariant::Builder, id))
-    }
-    ResourceTarget::Deployment(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .deployments
-        .find_one(filter)
-        .await
-        .context("failed to query db for deployments")?
-        .context("no matching deployment found")?
-        .id;
-      Ok((ResourceTargetVariant::Deployment, id))
+      Ok((ResourceTargetVariant::Server, id))
     }
     ResourceTarget::Server(ident) => {
       let filter = match ObjectId::from_str(ident) {
@@ -389,11 +360,53 @@ async fn extract_resource_target_with_validation(
         .servers
         .find_one(filter)
         .await
-        .context("failed to query db for servers")?
-        .context("no matching server found")?
+        .context("Failed to query db for servers")?
+        .context("No matching server found")?
         .id;
       Ok((ResourceTargetVariant::Server, id))
     }
+    ResourceTarget::Stack(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .stacks
+        .find_one(filter)
+        .await
+        .context("Failed to query db for stacks")?
+        .context("No matching stack found")?
+        .id;
+      Ok((ResourceTargetVariant::Stack, id))
+    }
+    ResourceTarget::Deployment(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .deployments
+        .find_one(filter)
+        .await
+        .context("Failed to query db for deployments")?
+        .context("No matching deployment found")?
+        .id;
+      Ok((ResourceTargetVariant::Deployment, id))
+    }
+    ResourceTarget::Build(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .builds
+        .find_one(filter)
+        .await
+        .context("Failed to query db for builds")?
+        .context("No matching build found")?
+        .id;
+      Ok((ResourceTargetVariant::Build, id))
+    }
     ResourceTarget::Repo(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
@@ -403,25 +416,11 @@ async fn extract_resource_target_with_validation(
         .repos
         .find_one(filter)
         .await
-        .context("failed to query db for repos")?
-        .context("no matching repo found")?
+        .context("Failed to query db for repos")?
+        .context("No matching repo found")?
         .id;
       Ok((ResourceTargetVariant::Repo, id))
     }
-    ResourceTarget::Alerter(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .alerters
-        .find_one(filter)
-        .await
-        .context("failed to query db for alerters")?
-        .context("no matching alerter found")?
-        .id;
-      Ok((ResourceTargetVariant::Alerter, id))
-    }
     ResourceTarget::Procedure(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
@@ -431,8 +430,8 @@ async fn extract_resource_target_with_validation(
         .procedures
         .find_one(filter)
         .await
-        .context("failed to query db for procedures")?
-        .context("no matching procedure found")?
+        .context("Failed to query db for procedures")?
+        .context("No matching procedure found")?
         .id;
       Ok((ResourceTargetVariant::Procedure, id))
     }
@@ -445,8 +444,8 @@ async fn extract_resource_target_with_validation(
         .actions
         .find_one(filter)
         .await
-        .context("failed to query db for actions")?
-        .context("no matching action found")?
+        .context("Failed to query db for actions")?
+        .context("No matching action found")?
         .id;
       Ok((ResourceTargetVariant::Action, id))
     }
@@ -459,24 +458,38 @@ async fn extract_resource_target_with_validation(
         .resource_syncs
         .find_one(filter)
         .await
-        .context("failed to query db for resource syncs")?
-        .context("no matching resource sync found")?
+        .context("Failed to query db for resource syncs")?
+        .context("No matching resource sync found")?
         .id;
       Ok((ResourceTargetVariant::ResourceSync, id))
     }
-    ResourceTarget::Stack(ident) => {
+    ResourceTarget::Builder(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },
         Err(_) => doc! { "name": ident },
       };
       let id = db_client()
-        .stacks
+        .builders
         .find_one(filter)
         .await
-        .context("failed to query db for stacks")?
-        .context("no matching stack found")?
+        .context("Failed to query db for builders")?
+        .context("No matching builder found")?
         .id;
-      Ok((ResourceTargetVariant::Stack, id))
+      Ok((ResourceTargetVariant::Builder, id))
+    }
+    ResourceTarget::Alerter(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .alerters
+        .find_one(filter)
+        .await
+        .context("Failed to query db for alerters")?
+        .context("No matching alerter found")?
+        .id;
+      Ok((ResourceTargetVariant::Alerter, id))
     }
   }
 }

bin/core/src/api/write/procedure.rs

@@ -4,7 +4,7 @@ use komodo_client::{
     permission::PermissionLevel, procedure::Procedure, update::Update,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 
 use crate::{permission::get_check_permissions, resource};
 
@@ -23,7 +23,7 @@ impl Resolve<WriteArgs> for CreateProcedure {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateProcedureResponse> {
+  ) -> mogh_error::Result<CreateProcedureResponse> {
     resource::create::<Procedure>(&self.name, self.config, None, user)
       .await
   }
@@ -42,7 +42,7 @@ impl Resolve<WriteArgs> for CopyProcedure {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CopyProcedureResponse> {
+  ) -> mogh_error::Result<CopyProcedureResponse> {
     let Procedure { config, .. } =
       get_check_permissions::<Procedure>(
         &self.id,
@@ -73,7 +73,7 @@ impl Resolve<WriteArgs> for UpdateProcedure {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateProcedureResponse> {
+  ) -> mogh_error::Result<UpdateProcedureResponse> {
     Ok(
       resource::update::<Procedure>(&self.id, self.config, user)
         .await?,
@@ -94,7 +94,7 @@ impl Resolve<WriteArgs> for RenameProcedure {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(
       resource::rename::<Procedure>(&self.id, &self.name, user)
         .await?,
@@ -114,7 +114,7 @@ impl Resolve<WriteArgs> for DeleteProcedure {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteProcedureResponse> {
+  ) -> mogh_error::Result<DeleteProcedureResponse> {
     Ok(resource::delete::<Procedure>(&self.id, user).await?)
   }
 }

bin/core/src/api/write/provider.rs

@@ -10,9 +10,9 @@ use komodo_client::{
     provider::{DockerRegistryAccount, GitProviderAccount},
   },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{
   helpers::update::{add_update, make_update},
@@ -35,7 +35,7 @@ impl Resolve<WriteArgs> for CreateGitProviderAccount {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateGitProviderAccountResponse> {
+  ) -> mogh_error::Result<CreateGitProviderAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can create git provider accounts")
@@ -111,7 +111,7 @@ impl Resolve<WriteArgs> for UpdateGitProviderAccount {
   async fn resolve(
     mut self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateGitProviderAccountResponse> {
+  ) -> mogh_error::Result<UpdateGitProviderAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can update git provider accounts")
@@ -199,7 +199,7 @@ impl Resolve<WriteArgs> for DeleteGitProviderAccount {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteGitProviderAccountResponse> {
+  ) -> mogh_error::Result<DeleteGitProviderAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can delete git provider accounts")
@@ -261,7 +261,7 @@ impl Resolve<WriteArgs> for CreateDockerRegistryAccount {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateDockerRegistryAccountResponse> {
+  ) -> mogh_error::Result<CreateDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!(
@@ -340,7 +340,7 @@ impl Resolve<WriteArgs> for UpdateDockerRegistryAccount {
   async fn resolve(
     mut self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateDockerRegistryAccountResponse> {
+  ) -> mogh_error::Result<UpdateDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can update docker registry accounts")
@@ -435,7 +435,7 @@ impl Resolve<WriteArgs> for DeleteDockerRegistryAccount {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteDockerRegistryAccountResponse> {
+  ) -> mogh_error::Result<DeleteDockerRegistryAccountResponse> {
     if !user.admin {
       return Err(
         anyhow!("Only admins can delete docker registry accounts")

bin/core/src/api/write/repo.rs

@@ -15,8 +15,8 @@ use komodo_client::{
     update::{Log, Update},
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
@@ -44,7 +44,7 @@ impl Resolve<WriteArgs> for CreateRepo {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
     resource::create::<Repo>(&self.name, self.config, None, user)
       .await
   }
@@ -63,7 +63,7 @@ impl Resolve<WriteArgs> for CopyRepo {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
     let Repo { config, .. } = get_check_permissions::<Repo>(
       &self.id,
       user,
@@ -87,7 +87,7 @@ impl Resolve<WriteArgs> for DeleteRepo {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
     Ok(resource::delete::<Repo>(&self.id, user).await?)
   }
 }
@@ -105,7 +105,7 @@ impl Resolve<WriteArgs> for UpdateRepo {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
     Ok(resource::update::<Repo>(&self.id, self.config, user).await?)
   }
 }
@@ -123,7 +123,7 @@ impl Resolve<WriteArgs> for RenameRepo {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let repo = get_check_permissions::<Repo>(
       &self.id,
       user,
@@ -199,7 +199,7 @@ impl Resolve<WriteArgs> for RefreshRepoCache {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // repo should be able to do this.
     let repo = get_check_permissions::<Repo>(

bin/core/src/api/write/resource.rs

@@ -1,16 +1,16 @@
 use anyhow::anyhow;
-use derive_variants::ExtractVariant as _;
 use komodo_client::{
   api::write::{UpdateResourceMeta, UpdateResourceMetaResponse},
   entities::{
     ResourceTarget, action::Action, alerter::Alerter, build::Build,
     builder::Builder, deployment::Deployment, procedure::Procedure,
-    repo::Repo, server::Server, stack::Stack, sync::ResourceSync,
+    repo::Repo, server::Server, stack::Stack, swarm::Swarm,
+    sync::ResourceSync,
   },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::resource::{self, ResourceMetaUpdate};
 
@@ -32,7 +32,7 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
   async fn resolve(
     self,
     args: &WriteArgs,
-  ) -> serror::Result<UpdateResourceMetaResponse> {
+  ) -> mogh_error::Result<UpdateResourceMetaResponse> {
     let meta = ResourceMetaUpdate {
       description: self.description,
       template: self.template,
@@ -45,9 +45,15 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
             .status_code(StatusCode::BAD_REQUEST),
         );
       }
+      ResourceTarget::Swarm(id) => {
+        resource::update_meta::<Swarm>(&id, meta, args).await?;
+      }
       ResourceTarget::Server(id) => {
         resource::update_meta::<Server>(&id, meta, args).await?;
       }
+      ResourceTarget::Stack(id) => {
+        resource::update_meta::<Stack>(&id, meta, args).await?;
+      }
       ResourceTarget::Deployment(id) => {
         resource::update_meta::<Deployment>(&id, meta, args).await?;
       }
@@ -57,12 +63,6 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
       ResourceTarget::Repo(id) => {
         resource::update_meta::<Repo>(&id, meta, args).await?;
       }
-      ResourceTarget::Builder(id) => {
-        resource::update_meta::<Builder>(&id, meta, args).await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        resource::update_meta::<Alerter>(&id, meta, args).await?;
-      }
       ResourceTarget::Procedure(id) => {
         resource::update_meta::<Procedure>(&id, meta, args).await?;
       }
@@ -73,8 +73,11 @@ impl Resolve<WriteArgs> for UpdateResourceMeta {
         resource::update_meta::<ResourceSync>(&id, meta, args)
           .await?;
       }
-      ResourceTarget::Stack(id) => {
-        resource::update_meta::<Stack>(&id, meta, args).await?;
+      ResourceTarget::Builder(id) => {
+        resource::update_meta::<Builder>(&id, meta, args).await?;
+      }
+      ResourceTarget::Alerter(id) => {
+        resource::update_meta::<Alerter>(&id, meta, args).await?;
       }
     }
     Ok(UpdateResourceMetaResponse {})

bin/core/src/api/write/server.rs

@@ -10,8 +10,8 @@ use komodo_client::{
     update::{Update, UpdateStatus},
   },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 
 use crate::{
   helpers::{
@@ -37,7 +37,7 @@ impl Resolve<WriteArgs> for CreateServer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
     resource::create::<Server>(
       &self.name,
       self.config,
@@ -64,7 +64,7 @@ impl Resolve<WriteArgs> for CopyServer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
     let Server { config, .. } = get_check_permissions::<Server>(
       &self.id,
       user,
@@ -97,7 +97,7 @@ impl Resolve<WriteArgs> for DeleteServer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
     Ok(resource::delete::<Server>(&self.id, user).await?)
   }
 }
@@ -115,7 +115,7 @@ impl Resolve<WriteArgs> for UpdateServer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
     Ok(resource::update::<Server>(&self.id, self.config, user).await?)
   }
 }
@@ -133,7 +133,7 @@ impl Resolve<WriteArgs> for RenameServer {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Server>(&self.id, &self.name, user).await?)
   }
 }
@@ -151,7 +151,7 @@ impl Resolve<WriteArgs> for CreateNetwork {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,

bin/core/src/api/write/service_user.rs

@@ -1,20 +1,22 @@
-use std::str::FromStr;
-
 use anyhow::{Context, anyhow};
-use database::mungos::{
-  by_id::find_one_by_id,
-  mongodb::bson::{doc, oid::ObjectId},
-};
+use database::mungos::{by_id::find_one_by_id, mongodb::bson::doc};
 use komodo_client::{
-  api::{user::CreateApiKey, write::*},
+  api::write::*,
   entities::{
     komodo_timestamp,
-    user::{User, UserConfig},
+    user::{NewUserParams, User, UserConfig},
   },
 };
-use resolver_api::Resolve;
+use mogh_auth_client::api::manage::CreateApiKey;
+use mogh_auth_server::api::manage::api_key::create_api_key;
+use mogh_error::{AddStatusCode as _, AddStatusCodeError as _};
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
 
-use crate::{api::user::UserArgs, state::db_client};
+use crate::{
+  auth::KomodoAuthImpl, helpers::validations::validate_username,
+  state::db_client,
+};
 
 use super::WriteArgs;
 
@@ -31,32 +33,30 @@ impl Resolve<WriteArgs> for CreateServiceUser {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateServiceUserResponse> {
+  ) -> mogh_error::Result<CreateServiceUserResponse> {
     if !user.admin {
-      return Err(anyhow!("user not admin").into());
-    }
-    if ObjectId::from_str(&self.username).is_ok() {
       return Err(
-        anyhow!("username cannot be valid ObjectId").into(),
+        anyhow!("Only Admins can manage Service Users")
+          .status_code(StatusCode::FORBIDDEN),
       );
     }
+
+    validate_username(&self.username)
+      .status_code(StatusCode::BAD_REQUEST)?;
+
     let config = UserConfig::Service {
       description: self.description,
     };
-    let mut user = User {
-      id: Default::default(),
+
+    let mut user = User::new(NewUserParams {
       username: self.username,
-      config,
       enabled: true,
       admin: false,
       super_admin: false,
-      create_server_permissions: false,
-      create_build_permissions: false,
-      last_update_view: 0,
-      recents: Default::default(),
-      all: Default::default(),
+      config,
       updated_at: komodo_timestamp(),
-    };
+    });
+
     user.id = db_client()
       .users
       .insert_one(&user)
@@ -66,6 +66,7 @@ impl Resolve<WriteArgs> for CreateServiceUser {
       .as_object_id()
       .context("inserted id is not object id")?
       .to_string();
+
     Ok(user)
   }
 }
@@ -83,20 +84,30 @@ impl Resolve<WriteArgs> for UpdateServiceUserDescription {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateServiceUserDescriptionResponse> {
+  ) -> mogh_error::Result<UpdateServiceUserDescriptionResponse> {
     if !user.admin {
-      return Err(anyhow!("user not admin").into());
+      return Err(
+        anyhow!("Only Admins can manage Service Users")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
+
     let db = db_client();
+
     let service_user = db
       .users
       .find_one(doc! { "username": &self.username })
       .await
-      .context("failed to query db for user")?
-      .context("no user with given username")?;
+      .context("Failed to query db for user")?
+      .context("No user with given username")?;
+
     let UserConfig::Service { .. } = &service_user.config else {
-      return Err(anyhow!("user is not service user").into());
+      return Err(
+        anyhow!("Target user is not Service User")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     };
+
     db.users
       .update_one(
         doc! { "username": &self.username },
@@ -104,13 +115,15 @@ impl Resolve<WriteArgs> for UpdateServiceUserDescription {
       )
       .await
       .context("failed to update user on db")?;
-    let res = db
+
+    let service_user = db
       .users
       .find_one(doc! { "username": &self.username })
       .await
       .context("failed to query db for user")?
       .context("user with username not found")?;
-    Ok(res)
+
+    Ok(service_user)
   }
 }
 
@@ -128,23 +141,35 @@ impl Resolve<WriteArgs> for CreateApiKeyForServiceUser {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateApiKeyForServiceUserResponse> {
+  ) -> mogh_error::Result<CreateApiKeyForServiceUserResponse> {
     if !user.admin {
-      return Err(anyhow!("user not admin").into());
+      return Err(
+        anyhow!("Only Admins can manage Service Users")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
+
     let service_user =
       find_one_by_id(&db_client().users, &self.user_id)
         .await
-        .context("failed to query db for user")?
-        .context("no user found with id")?;
+        .context("Failed to query db for user")?
+        .context("No user found with id")?;
+
     let UserConfig::Service { .. } = &service_user.config else {
-      return Err(anyhow!("user is not service user").into());
+      return Err(
+        anyhow!("Target user is not Service User")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     };
-    CreateApiKey {
-      name: self.name,
-      expires: self.expires,
-    }
-    .resolve(&UserArgs { user: service_user })
+
+    create_api_key(
+      &KomodoAuthImpl,
+      service_user.id,
+      CreateApiKey {
+        name: self.name,
+        expires: self.expires as u64,
+      },
+    )
     .await
   }
 }
@@ -161,25 +186,36 @@ impl Resolve<WriteArgs> for DeleteApiKeyForServiceUser {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteApiKeyForServiceUserResponse> {
+  ) -> mogh_error::Result<DeleteApiKeyForServiceUserResponse> {
     if !user.admin {
-      return Err(anyhow!("user not admin").into());
+      return Err(
+        anyhow!("Only Admins can manage Service Users")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     }
+
     let db = db_client();
+
     let api_key = db
       .api_keys
       .find_one(doc! { "key": &self.key })
       .await
       .context("failed to query db for api key")?
       .context("did not find matching api key")?;
+
     let service_user =
       find_one_by_id(&db_client().users, &api_key.user_id)
         .await
         .context("failed to query db for user")?
         .context("no user found with id")?;
+
     let UserConfig::Service { .. } = &service_user.config else {
-      return Err(anyhow!("user is not service user").into());
+      return Err(
+        anyhow!("Target user is not Service User")
+          .status_code(StatusCode::FORBIDDEN),
+      );
     };
+
     db.api_keys
       .delete_one(doc! { "key": self.key })
       .await

bin/core/src/api/write/stack.rs

@@ -1,42 +1,55 @@
-use std::path::PathBuf;
+use std::{collections::HashMap, path::PathBuf, sync::OnceLock};
 
 use anyhow::{Context, anyhow};
-use database::mungos::mongodb::bson::{doc, to_document};
-use formatting::format_serror;
-use komodo_client::{
-  api::write::*,
-  entities::{
-    FileContents, NoData, Operation, RepoExecutionArgs,
-    all_logs_success,
-    permission::PermissionLevel,
-    repo::Repo,
-    server::ServerState,
-    stack::{Stack, StackInfo},
-    update::Update,
-    user::stack_user,
+use database::{
+  bson::to_bson,
+  mungos::{
+    by_id::update_one_by_id,
+    mongodb::bson::{doc, to_document},
   },
 };
+use formatting::format_serror;
+use futures_util::{StreamExt as _, stream::FuturesOrdered};
+use komodo_client::{
+  api::{execute::DeployStack, write::*},
+  entities::{
+    FileContents, NoData, Operation, RepoExecutionArgs,
+    ResourceTarget, SwarmOrServer,
+    alert::{Alert, AlertData, SeverityLevel},
+    all_logs_success, komodo_timestamp,
+    permission::PermissionLevel,
+    repo::Repo,
+    stack::{Stack, StackInfo, StackServiceWithUpdate, StackState},
+    update::Update,
+    user::{auto_redeploy_user, stack_user, system_user},
+  },
+};
+use mogh_cache::SetCache;
+use mogh_resolver::Resolve;
 use periphery_client::api::compose::{
   GetComposeContentsOnHost, GetComposeContentsOnHostResponse,
   WriteComposeContentsToHost,
 };
-use resolver_api::Resolve;
 
 use crate::{
+  alert::send_alerts,
+  api::execute::{self, ExecuteRequest, ExecutionResult},
   config::core_config,
   helpers::{
-    periphery_client,
-    query::get_server_with_state,
-    stack_git_token,
-    update::{add_update, make_update},
+    query::get_swarm_or_server,
+    stack_git_token, swarm_or_server_request,
+    update::{add_update, make_update, poll_update_until_complete},
   },
   permission::get_check_permissions,
-  resource,
+  resource::{self, list_full_for_user_using_pattern},
   stack::{
     remote::{RemoteComposeContents, get_repo_compose_contents},
-    services::extract_services_into_res,
+    services::{
+      extract_services_from_stack, extract_services_into_res,
+    },
+    setup_stack_execution,
   },
-  state::db_client,
+  state::{db_client, image_digest_cache, stack_status_cache},
 };
 
 use super::WriteArgs;
@@ -54,7 +67,7 @@ impl Resolve<WriteArgs> for CreateStack {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Stack> {
+  ) -> mogh_error::Result<Stack> {
     resource::create::<Stack>(&self.name, self.config, None, user)
       .await
   }
@@ -73,7 +86,7 @@ impl Resolve<WriteArgs> for CopyStack {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Stack> {
+  ) -> mogh_error::Result<Stack> {
     let Stack { config, .. } = get_check_permissions::<Stack>(
       &self.id,
       user,
@@ -98,7 +111,7 @@ impl Resolve<WriteArgs> for DeleteStack {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Stack> {
+  ) -> mogh_error::Result<Stack> {
     Ok(resource::delete::<Stack>(&self.id, user).await?)
   }
 }
@@ -116,8 +129,31 @@ impl Resolve<WriteArgs> for UpdateStack {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Stack> {
-    Ok(resource::update::<Stack>(&self.id, self.config, user).await?)
+  ) -> mogh_error::Result<Stack> {
+    let compose_update = self.config.linked_repo.is_some()
+      || self.config.repo.is_some()
+      || self.config.files_on_host.is_some()
+      || self.config.file_contents.is_some();
+
+    let stack =
+      resource::update::<Stack>(&self.id, self.config, user).await?;
+
+    if compose_update {
+      tokio::spawn(async move {
+        let _ = (CheckStackForUpdate {
+          stack: self.id,
+          skip_auto_update: false,
+          wait_for_auto_update: false,
+          skip_cache_refresh: true,
+        })
+        .resolve(&WriteArgs {
+          user: system_user().to_owned(),
+        })
+        .await;
+      });
+    }
+
+    Ok(stack)
   }
 }
 
@@ -134,7 +170,7 @@ impl Resolve<WriteArgs> for RenameStack {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(resource::rename::<Stack>(&self.id, &self.name, user).await?)
   }
 }
@@ -152,7 +188,7 @@ impl Resolve<WriteArgs> for WriteStackFileContents {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     let WriteStackFileContents {
       stack,
       file_path,
@@ -179,11 +215,13 @@ impl Resolve<WriteArgs> for WriteStackFileContents {
 
     update.push_simple_log("File contents to write", &contents);
 
-    if stack.config.files_on_host {
+    let id = stack.id.clone();
+
+    let update = if stack.config.files_on_host {
       write_stack_file_contents_on_host(
         stack, file_path, contents, update,
       )
-      .await
+      .await?
     } else {
       write_stack_file_contents_git(
         stack,
@@ -192,8 +230,23 @@ impl Resolve<WriteArgs> for WriteStackFileContents {
         &user.username,
         update,
       )
-      .await
-    }
+      .await?
+    };
+
+    tokio::spawn(async move {
+      let _ = (CheckStackForUpdate {
+        stack: id,
+        skip_auto_update: false,
+        wait_for_auto_update: false,
+        skip_cache_refresh: true,
+      })
+      .resolve(&WriteArgs {
+        user: system_user().to_owned(),
+      })
+      .await;
+    });
+
+    Ok(update)
   }
 }
 
@@ -203,33 +256,25 @@ async fn write_stack_file_contents_on_host(
   file_path: String,
   contents: String,
   mut update: Update,
-) -> serror::Result<Update> {
-  if stack.config.server_id.is_empty() {
-    return Err(anyhow!(
-      "Cannot write file, Files on host Stack has not configured a Server"
-    ).into());
-  }
-  let (server, state) =
-    get_server_with_state(&stack.config.server_id).await?;
-  if state != ServerState::Ok {
-    return Err(
-      anyhow!(
-        "Cannot write file when server is unreachable or disabled"
-      )
-      .into(),
-    );
-  }
-  match periphery_client(&server)
-    .await?
-    .request(WriteComposeContentsToHost {
+) -> mogh_error::Result<Update> {
+  let swarm_or_server = get_swarm_or_server(
+    &stack.config.swarm_id,
+    &stack.config.server_id,
+  )
+  .await?;
+
+  let res = swarm_or_server_request(
+    &swarm_or_server,
+    WriteComposeContentsToHost {
       name: stack.name,
       run_directory: stack.config.run_directory,
       file_path,
       contents,
-    })
-    .await
-    .context("Failed to write contents to host")
-  {
+    },
+  )
+  .await;
+
+  match res {
     Ok(log) => {
       update.logs.push(log);
     }
@@ -239,7 +284,7 @@ async fn write_stack_file_contents_on_host(
         format_serror(&e.into()),
       );
     }
-  };
+  }
 
   if !all_logs_success(&update.logs) {
     update.finalize();
@@ -277,7 +322,7 @@ async fn write_stack_file_contents_git(
   contents: &str,
   username: &str,
   mut update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   let mut repo = if !stack.config.linked_repo.is_empty() {
     crate::resource::get::<Repo>(&stack.config.linked_repo)
       .await?
@@ -415,7 +460,7 @@ impl Resolve<WriteArgs> for RefreshStackCache {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // stack should be able to do this.
     let stack = get_check_permissions::<Stack>(
@@ -448,6 +493,15 @@ impl Resolve<WriteArgs> for RefreshStackCache {
     }
 
     let mut missing_files = Vec::new();
+    let service_image_digests = stack
+      .info
+      .latest_services
+      .iter()
+      .filter_map(|s| {
+        let digest = s.image_digest.clone()?;
+        Some((s.service_name.clone(), digest))
+      })
+      .collect::<HashMap<_, _>>();
 
     let (
       latest_services,
@@ -459,26 +513,22 @@ impl Resolve<WriteArgs> for RefreshStackCache {
       // =============
       // FILES ON HOST
       // =============
-      let (server, state) = if stack.config.server_id.is_empty() {
-        (None, ServerState::Disabled)
-      } else {
-        let (server, state) =
-          get_server_with_state(&stack.config.server_id).await?;
-        (Some(server), state)
-      };
-      if state != ServerState::Ok {
-        (vec![], None, None, None, None)
-      } else if let Some(server) = server {
+      if let Ok(swarm_or_server) = get_swarm_or_server(
+        &stack.config.swarm_id,
+        &stack.config.server_id,
+      )
+      .await
+      {
         let GetComposeContentsOnHostResponse { contents, errors } =
-          match periphery_client(&server)
-            .await?
-            .request(GetComposeContentsOnHost {
+          match swarm_or_server_request(
+            &swarm_or_server,
+            GetComposeContentsOnHost {
               file_paths: stack.all_file_dependencies(),
               name: stack.name.clone(),
               run_directory: stack.config.run_directory.clone(),
-            })
-            .await
-            .context("failed to get compose file contents from host")
+            },
+          )
+          .await
           {
             Ok(res) => res,
             Err(e) => GetComposeContentsOnHostResponse {
@@ -489,7 +539,6 @@ impl Resolve<WriteArgs> for RefreshStackCache {
               }],
             },
           };
-
         let project_name = stack.project_name(true);
 
         let mut services = Vec::new();
@@ -502,6 +551,7 @@ impl Resolve<WriteArgs> for RefreshStackCache {
           if let Err(e) = extract_services_into_res(
             &project_name,
             &contents.contents,
+            &service_image_digests,
             &mut services,
           ) {
             warn!(
@@ -544,6 +594,7 @@ impl Resolve<WriteArgs> for RefreshStackCache {
         if let Err(e) = extract_services_into_res(
           &project_name,
           &contents.contents,
+          &service_image_digests,
           &mut services,
         ) {
           warn!(
@@ -569,6 +620,7 @@ impl Resolve<WriteArgs> for RefreshStackCache {
         // this should latest (not deployed), so make the project name fresh.
         &stack.project_name(true),
         &stack.config.file_contents,
+        &service_image_digests,
         &mut services,
       ) {
         warn!(
@@ -610,3 +662,414 @@ impl Resolve<WriteArgs> for RefreshStackCache {
     Ok(NoData {})
   }
 }
+
+//
+
+impl Resolve<WriteArgs> for CheckStackForUpdate {
+  #[instrument(
+    "CheckStackForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      stack = self.stack,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Self::Response> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // stack should be able to do this.
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &self.stack,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    swarm_or_server.verify_has_target()?;
+
+    check_stack_for_update_inner(
+      stack.id,
+      &swarm_or_server,
+      self.skip_auto_update,
+      self.wait_for_auto_update,
+      self.skip_cache_refresh,
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+/// If it goes down the "update available" path,
+/// only send alert if stack id + service is not in this cache.
+/// If alert is sent, add ID to cache.
+/// If later it goes down non "update available" path,
+/// remove the id from cache, so next time it does another alert
+/// will be sent.
+fn stack_alert_sent_cache() -> &'static SetCache<(String, String)> {
+  static CACHE: OnceLock<SetCache<(String, String)>> =
+    OnceLock::new();
+  CACHE.get_or_init(Default::default)
+}
+
+/// First refresh stack cache, then save
+/// latest available 'image_digest' for stack services
+/// to database.
+#[instrument(
+  "CheckStackForUpdateInner",
+  skip_all,
+  fields(
+    stack = stack,
+  )
+)]
+pub async fn check_stack_for_update_inner(
+  // ID or name.
+  stack: String,
+  swarm_or_server: &SwarmOrServer,
+  skip_auto_update: bool,
+  // Otherwise spawns task to run in background
+  wait_for_auto_update: bool,
+  skip_cache_refresh: bool,
+) -> anyhow::Result<CheckStackForUpdateResponse> {
+  if !skip_cache_refresh {
+    (RefreshStackCache {
+      stack: stack.clone(),
+    })
+    .resolve(&WriteArgs {
+      user: system_user().to_owned(),
+    })
+    .await
+    .map_err(|e| e.error)
+    .context("Failed to refresh stack cache before update check")?;
+  }
+
+  // Query again after refresh
+  let mut stack = resource::get::<Stack>(&stack).await?;
+
+  let cache = image_digest_cache();
+
+  for service in &mut stack.info.latest_services {
+    // Prefer the image coming from deployed services
+    // so it will be after any interpolation.
+    let image = stack
+      .info
+      .deployed_services
+      .as_ref()
+      .and_then(|services| {
+        services.iter().find_map(|deployed| {
+          (deployed.service_name == service.service_name)
+            .then_some(&deployed.image)
+        })
+      })
+      .unwrap_or(&service.image);
+
+    if image.is_empty() ||
+      // Images with a hardcoded digest can't have update.
+      image.contains('@')
+    {
+      service.image_digest = None;
+      continue;
+    }
+    match cache.get(&swarm_or_server, image, None, None).await {
+      Ok(digest) => service.image_digest = Some(digest),
+      Err(e) => {
+        warn!(
+          "Failed to check for update | Stack: {} | Service: {} | Error: {e:#}",
+          stack.name, service.service_name
+        );
+        service.image_digest = None;
+        continue;
+      }
+    };
+  }
+
+  let latest_services = to_bson(&stack.info.latest_services)
+    .context("Failed to serialize stack latest services to BSON")?;
+
+  update_one_by_id(
+    &db_client().stacks,
+    &stack.id,
+    doc! { "$set": { "info.latest_services": latest_services } },
+    None,
+  )
+  .await?;
+
+  let alert_cache = stack_alert_sent_cache();
+
+  let Some(status) = stack_status_cache().get(&stack.id).await else {
+    alert_cache
+      .retain(|(stack_id, _)| stack_id != &stack.id)
+      .await;
+    return Ok(CheckStackForUpdateResponse {
+      services: extract_services_from_stack(&stack)
+        .into_iter()
+        .map(|service| StackServiceWithUpdate {
+          service: service.service_name,
+          image: service.image,
+          update_available: false,
+        })
+        .collect(),
+      stack: stack.id,
+    });
+  };
+
+  let StackState::Running = status.curr.state else {
+    alert_cache
+      .retain(|(stack_id, _)| stack_id != &stack.id)
+      .await;
+    return Ok(CheckStackForUpdateResponse {
+      stack: stack.id,
+      services: status
+        .curr
+        .services
+        .iter()
+        .map(|service| StackServiceWithUpdate {
+          service: service.service.clone(),
+          image: service.image.clone(),
+          update_available: false,
+        })
+        .collect(),
+    });
+  };
+
+  let mut services = Vec::new();
+
+  for service in status.curr.services.iter() {
+    let mut service_with_update = StackServiceWithUpdate {
+      service: service.service.clone(),
+      image: service.image.clone(),
+      update_available: false,
+    };
+
+    let Some(current_digests) = &service.image_digests else {
+      services.push(service_with_update);
+      continue;
+    };
+
+    let Some(latest_digest) =
+      stack.info.latest_services.iter().find_map(|s| {
+        if s.service_name == service.service {
+          s.image_digest.clone()
+        } else {
+          None
+        }
+      })
+    else {
+      services.push(service_with_update);
+      continue;
+    };
+
+    service_with_update.update_available =
+      latest_digest.update_available(&current_digests);
+
+    if service_with_update.update_available
+      && (skip_auto_update || !stack.config.auto_update)
+      && !alert_cache
+        .contains(&(stack.id.clone(), service.service.clone()))
+        .await
+    {
+      // Send service update available alert
+      alert_cache
+        .insert((stack.id.clone(), service.service.clone()))
+        .await;
+      let ts = komodo_timestamp();
+      let alert = Alert {
+        id: Default::default(),
+        ts,
+        resolved: true,
+        resolved_ts: ts.into(),
+        level: SeverityLevel::Ok,
+        target: ResourceTarget::Stack(stack.id.clone()),
+        data: AlertData::StackImageUpdateAvailable {
+          id: stack.id.clone(),
+          name: stack.name.clone(),
+          swarm_name: swarm_or_server
+            .swarm_name()
+            .map(str::to_string),
+          swarm_id: swarm_or_server.swarm_id().map(str::to_string),
+          server_name: swarm_or_server
+            .server_name()
+            .map(str::to_string),
+          server_id: swarm_or_server.server_id().map(str::to_string),
+          service: service.service.clone(),
+          image: service.image.clone(),
+        },
+      };
+      let res = db_client().alerts.insert_one(&alert).await;
+      if let Err(e) = res {
+        error!(
+          "Failed to record StackImageUpdateAvailable to db | {e:#}"
+        );
+      }
+      send_alerts(&[alert]).await;
+    }
+
+    services.push(service_with_update);
+  }
+
+  let services_with_update = services
+    .iter()
+    .filter(|service| service.update_available)
+    .cloned()
+    .collect::<Vec<_>>();
+
+  if skip_auto_update
+    || !stack.config.auto_update
+    || services_with_update.is_empty()
+  {
+    return Ok(CheckStackForUpdateResponse {
+      stack: stack.id,
+      services,
+    });
+  }
+
+  // Conservatively remove from alert cache so 'skip_auto_update'
+  // doesn't cause alerts not to be sent on subsequent calls.
+  alert_cache
+    .retain(|(stack_id, _)| stack_id != &stack.id)
+    .await;
+
+  let deploy_services = if stack.config.auto_update_all_services {
+    Vec::new()
+  } else {
+    services_with_update
+      .iter()
+      .map(|service| service.service.clone())
+      .collect()
+  };
+
+  let swarm_id = swarm_or_server.swarm_id().map(str::to_string);
+  let swarm_name = swarm_or_server.swarm_name().map(str::to_string);
+  let server_id = swarm_or_server.server_id().map(str::to_string);
+  let server_name = swarm_or_server.server_name().map(str::to_string);
+
+  let stack_id = stack.id.clone();
+
+  let run = async move {
+    match execute::inner_handler(
+      ExecuteRequest::DeployStack(DeployStack {
+        stack: stack.id.clone(),
+        services: deploy_services,
+        stop_time: None,
+      }),
+      auto_redeploy_user().to_owned(),
+    )
+    .await
+    {
+      Ok(res) => {
+        let ExecutionResult::Single(update) = res else {
+          unreachable!()
+        };
+        let Ok(update) = poll_update_until_complete(&update.id).await
+        else {
+          return;
+        };
+        if update.success {
+          let ts = komodo_timestamp();
+          let alert = Alert {
+            id: Default::default(),
+            ts,
+            resolved: true,
+            resolved_ts: ts.into(),
+            level: SeverityLevel::Ok,
+            target: ResourceTarget::Stack(stack.id.clone()),
+            data: AlertData::StackAutoUpdated {
+              id: stack.id.clone(),
+              name: stack.name.clone(),
+              swarm_id,
+              swarm_name,
+              server_id,
+              server_name,
+              images: services_with_update
+                .iter()
+                .map(|service| service.image.clone())
+                .collect(),
+            },
+          };
+          let res = db_client().alerts.insert_one(&alert).await;
+          if let Err(e) = res {
+            error!("Failed to record StackAutoUpdated to db | {e:#}");
+          }
+          send_alerts(&[alert]).await;
+        }
+      }
+      Err(e) => {
+        warn!("Failed to auto update Stack {} | {e:#}", stack.name)
+      }
+    }
+  };
+
+  if wait_for_auto_update {
+    run.await
+  } else {
+    tokio::spawn(run);
+  }
+
+  Ok(CheckStackForUpdateResponse {
+    stack: stack_id,
+    services,
+  })
+}
+
+//
+
+impl Resolve<WriteArgs> for BatchCheckStackForUpdate {
+  #[instrument(
+    "BatchCheckStackForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      pattern = self.pattern,
+      skip_auto_update = self.skip_auto_update,
+      wait_for_auto_update = self.wait_for_auto_update,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let stacks = list_full_for_user_using_pattern::<Stack>(
+      &self.pattern,
+      Default::default(),
+      user,
+      PermissionLevel::Execute.into(),
+      &[],
+    )
+    .await?;
+
+    let res = stacks
+      .into_iter()
+      .map(|stack| async move {
+        let swarm_or_server = get_swarm_or_server(
+          &stack.config.swarm_id,
+          &stack.config.server_id,
+        )
+        .await?;
+        swarm_or_server.verify_has_target().map_err(|e| e.error)?;
+        check_stack_for_update_inner(
+          stack.id,
+          &swarm_or_server,
+          self.skip_auto_update,
+          self.wait_for_auto_update,
+          self.skip_cache_refresh,
+        )
+        .await
+      })
+      .collect::<FuturesOrdered<_>>()
+      .collect::<Vec<_>>()
+      .await
+      .into_iter()
+      .filter_map(|res| {
+        res
+          .inspect_err(|e| {
+            warn!(
+              "Failed to check stack for update in batch run | {e:#}"
+            )
+          })
+          .ok()
+      })
+      .collect();
+    Ok(res)
+  }
+}

bin/core/src/api/write/swarm.rs

@@ -0,0 +1,108 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    permission::PermissionLevel, swarm::Swarm, update::Update,
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{permission::get_check_permissions, resource};
+
+use super::WriteArgs;
+
+impl Resolve<WriteArgs> for CreateSwarm {
+  #[instrument(
+    "CreateSwarm",
+    skip_all,
+    fields(
+      operator = user.id,
+      swarm = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Swarm> {
+    resource::create::<Swarm>(&self.name, self.config, None, user)
+      .await
+  }
+}
+
+impl Resolve<WriteArgs> for CopySwarm {
+  #[instrument(
+    "CopySwarm",
+    skip_all,
+    fields(
+      operator = user.id,
+      swarm = self.name,
+      copy_swarm = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Swarm> {
+    let Swarm { config, .. } = get_check_permissions::<Swarm>(
+      &self.id,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    resource::create::<Swarm>(&self.name, config.into(), None, user)
+      .await
+  }
+}
+
+impl Resolve<WriteArgs> for DeleteSwarm {
+  #[instrument(
+    "DeleteSwarm",
+    skip_all,
+    fields(
+      operator = user.id,
+      swarm = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Swarm> {
+    Ok(resource::delete::<Swarm>(&self.id, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for UpdateSwarm {
+  #[instrument(
+    "UpdateSwarm",
+    skip_all,
+    fields(
+      operator = user.id,
+      swarm = self.id,
+      update = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Swarm> {
+    Ok(resource::update::<Swarm>(&self.id, self.config, user).await?)
+  }
+}
+
+impl Resolve<WriteArgs> for RenameSwarm {
+  #[instrument(
+    "RenameSwarm",
+    skip_all,
+    fields(
+      operator = user.id,
+      swarm = self.id,
+      new_name = self.name
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Update> {
+    Ok(resource::rename::<Swarm>(&self.id, &self.name, user).await?)
+  }
+}

bin/core/src/api/write/sync.rs

@@ -32,7 +32,7 @@ use komodo_client::{
     user::sync_user,
   },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use tracing::Instrument;
 
 use crate::{
@@ -69,7 +69,7 @@ impl Resolve<WriteArgs> for CreateResourceSync {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     resource::create::<ResourceSync>(
       &self.name,
       self.config,
@@ -93,7 +93,7 @@ impl Resolve<WriteArgs> for CopyResourceSync {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     let ResourceSync { config, .. } =
       get_check_permissions::<ResourceSync>(
         &self.id,
@@ -123,7 +123,7 @@ impl Resolve<WriteArgs> for DeleteResourceSync {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     Ok(resource::delete::<ResourceSync>(&self.id, user).await?)
   }
 }
@@ -141,7 +141,7 @@ impl Resolve<WriteArgs> for UpdateResourceSync {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     Ok(
       resource::update::<ResourceSync>(&self.id, self.config, user)
         .await?,
@@ -162,7 +162,7 @@ impl Resolve<WriteArgs> for RenameResourceSync {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
     Ok(
       resource::rename::<ResourceSync>(&self.id, &self.name, user)
         .await?,
@@ -181,7 +181,10 @@ impl Resolve<WriteArgs> for WriteSyncFileContents {
       file_path = self.file_path,
     )
   )]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> mogh_error::Result<Update> {
     let sync = get_check_permissions::<ResourceSync>(
       &self.sync,
       &args.user,
@@ -231,7 +234,7 @@ async fn write_sync_file_contents_on_host(
   args: &WriteArgs,
   sync: ResourceSync,
   mut update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   let WriteSyncFileContents {
     sync: _,
     resource_path,
@@ -249,7 +252,7 @@ async fn write_sync_file_contents_on_host(
     .context("Invalid resource path")?;
   let full_path = root.join(&resource_path).join(&file_path);
 
-  if let Err(e) = secret_file::write_async(&full_path, &contents)
+  if let Err(e) = mogh_secret_file::write_async(&full_path, &contents)
     .await
     .with_context(|| {
       format!(
@@ -295,7 +298,7 @@ async fn write_sync_file_contents_git(
   sync: ResourceSync,
   repo: Option<Repo>,
   mut update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
   let WriteSyncFileContents {
     sync: _,
     resource_path,
@@ -448,7 +451,10 @@ impl Resolve<WriteArgs> for CommitSync {
       sync = self.sync,
     )
   )]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> mogh_error::Result<Update> {
     let WriteArgs { user } = args;
 
     let sync = get_check_permissions::<entities::sync::ResourceSync>(
@@ -535,12 +541,13 @@ impl Resolve<WriteArgs> for CommitSync {
         .join(to_path_compatible_name(&sync.name))
         .join(&resource_path);
       let span = info_span!("CommitSyncOnHost");
-      if let Err(e) = secret_file::write_async(&file_path, &res.toml)
-        .instrument(span)
-        .await
-        .with_context(|| {
-          format!("Failed to write resource file to {file_path:?}",)
-        })
+      if let Err(e) =
+        mogh_secret_file::write_async(&file_path, &res.toml)
+          .instrument(span)
+          .await
+          .with_context(|| {
+            format!("Failed to write resource file to {file_path:?}",)
+          })
       {
         update.push_error_log(
           "Write resource file",
@@ -677,7 +684,7 @@ impl Resolve<WriteArgs> for RefreshResourceSyncPending {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
     // Even though this is a write request, this doesn't change any config. Anyone that can execute the
     // sync should be able to do this.
     let mut sync =

bin/core/src/api/write/tag.rs

@@ -13,9 +13,9 @@ use komodo_client::{
     server::Server, stack::Stack, sync::ResourceSync, tag::Tag,
   },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{
   config::core_config,
@@ -39,7 +39,7 @@ impl Resolve<WriteArgs> for CreateTag {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Tag> {
+  ) -> mogh_error::Result<Tag> {
     if core_config().disable_non_admin_create && !user.admin {
       return Err(
         anyhow!("Non admins cannot create tags")
@@ -88,7 +88,7 @@ impl Resolve<WriteArgs> for RenameTag {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Tag> {
+  ) -> mogh_error::Result<Tag> {
     if ObjectId::from_str(&self.name).is_ok() {
       return Err(anyhow!("tag name cannot be ObjectId").into());
     }
@@ -121,7 +121,7 @@ impl Resolve<WriteArgs> for UpdateTagColor {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Tag> {
+  ) -> mogh_error::Result<Tag> {
     let tag = get_tag_check_owner(&self.tag, user).await?;
 
     update_one_by_id(
@@ -149,7 +149,7 @@ impl Resolve<WriteArgs> for DeleteTag {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Tag> {
+  ) -> mogh_error::Result<Tag> {
     let tag = get_tag_check_owner(&self.id, user).await?;
 
     tokio::try_join!(

bin/core/src/api/write/terminal.rs

@@ -8,10 +8,10 @@ use komodo_client::{
     user::User,
   },
 };
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
 use periphery_client::api;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
 
 use crate::{
   helpers::{
@@ -47,7 +47,7 @@ impl Resolve<WriteArgs> for CreateTerminal {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     match self.target.clone() {
       TerminalTarget::Server { server } => {
         let server = server
@@ -159,7 +159,7 @@ impl Resolve<WriteArgs> for DeleteTerminal {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     let server = match &self.target {
       TerminalTarget::Server { server } => {
         let server = server
@@ -233,7 +233,7 @@ impl Resolve<WriteArgs> for DeleteAllTerminals {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
     let server = get_check_permissions::<Server>(
       &self.server,
       user,

bin/core/src/api/write/user.rs

@@ -1,28 +1,105 @@
-use std::str::FromStr;
+use std::{collections::VecDeque, str::FromStr};
 
 use anyhow::{Context, anyhow};
 use async_timing_util::unix_timestamp_ms;
 use database::{
+  bson::to_bson,
   hash_password,
-  mungos::mongodb::bson::{doc, oid::ObjectId},
+  mungos::{
+    by_id::update_one_by_id,
+    mongodb::bson::{doc, oid::ObjectId},
+  },
 };
 use komodo_client::{
   api::write::*,
   entities::{
-    NoData,
-    user::{User, UserConfig},
+    komodo_timestamp,
+    user::{NewUserParams, User, UserConfig},
   },
 };
+use mogh_error::{AddStatusCode as _, AddStatusCodeError};
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
-use crate::{config::core_config, state::db_client};
+use crate::{
+  helpers::{
+    query::get_user,
+    validations::{validate_password, validate_username},
+  },
+  state::db_client,
+};
 
 use super::WriteArgs;
 
 //
 
+const RECENTLY_VIEWED_MAX: usize = 10;
+
+impl Resolve<WriteArgs> for PushRecentlyViewed {
+  async fn resolve(
+    self,
+    WriteArgs { user, .. }: &WriteArgs,
+  ) -> mogh_error::Result<PushRecentlyViewedResponse> {
+    let user = get_user(&user.id).await?;
+
+    let (resource_type, id) = self.resource.extract_variant_id();
+
+    let field = format!("recents.{resource_type}");
+
+    let update = match user.recents.get(&resource_type) {
+      Some(recents) => {
+        let mut recents = recents
+          .iter()
+          .filter(|_id| !id.eq(*_id))
+          .take(RECENTLY_VIEWED_MAX - 1)
+          .collect::<VecDeque<_>>();
+
+        recents.push_front(id);
+
+        doc! { &field: to_bson(&recents)? }
+      }
+      None => {
+        doc! { &field: [id] }
+      }
+    };
+
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      database::mungos::update::Update::Set(update),
+      None,
+    )
+    .await
+    .with_context(|| format!("Failed to update user '{field}'"))?;
+
+    Ok(PushRecentlyViewedResponse {})
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for SetLastSeenUpdate {
+  async fn resolve(
+    self,
+    WriteArgs { user, .. }: &WriteArgs,
+  ) -> mogh_error::Result<SetLastSeenUpdateResponse> {
+    update_one_by_id(
+      &db_client().users,
+      &user.id,
+      database::mungos::update::Update::Set(doc! {
+        "last_update_view": komodo_timestamp()
+      }),
+      None,
+    )
+    .await
+    .context("Failed to update user 'last_update_view'")?;
+
+    Ok(SetLastSeenUpdateResponse {})
+  }
+}
+
+//
+
 impl Resolve<WriteArgs> for CreateLocalUser {
   #[instrument(
     "CreateLocalUser",
@@ -35,27 +112,18 @@ impl Resolve<WriteArgs> for CreateLocalUser {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<CreateLocalUserResponse> {
+  ) -> mogh_error::Result<CreateLocalUserResponse> {
     if !admin.admin {
       return Err(
-        anyhow!("This method is admin-only.")
+        anyhow!("This method is Admin Only.")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
 
-    if self.username.is_empty() {
-      return Err(anyhow!("Username cannot be empty.").into());
-    }
-
-    if ObjectId::from_str(&self.username).is_ok() {
-      return Err(
-        anyhow!("Username cannot be valid ObjectId").into(),
-      );
-    }
-
-    if self.password.is_empty() {
-      return Err(anyhow!("Password cannot be empty.").into());
-    }
+    validate_username(&self.username)
+      .status_code(StatusCode::BAD_REQUEST)?;
+    validate_password(&self.password)
+      .status_code(StatusCode::BAD_REQUEST)?;
 
     let db = db_client();
 
@@ -72,22 +140,16 @@ impl Resolve<WriteArgs> for CreateLocalUser {
     let ts = unix_timestamp_ms() as i64;
     let hashed_password = hash_password(self.password)?;
 
-    let mut user = User {
-      id: Default::default(),
+    let mut user = User::new(NewUserParams {
       username: self.username,
       enabled: true,
       admin: false,
       super_admin: false,
-      create_server_permissions: false,
-      create_build_permissions: false,
-      updated_at: ts,
-      last_update_view: 0,
-      recents: Default::default(),
-      all: Default::default(),
       config: UserConfig::Local {
         password: hashed_password,
       },
-    };
+      updated_at: ts,
+    });
 
     user.id = db_client()
       .users
@@ -107,91 +169,6 @@ impl Resolve<WriteArgs> for CreateLocalUser {
 
 //
 
-impl Resolve<WriteArgs> for UpdateUserUsername {
-  #[instrument(
-    "UpdateUserUsername",
-    skip_all,
-    fields(
-      operator = user.id,
-      new_username = self.username,
-    )
-  )]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateUserUsernameResponse> {
-    for locked_username in &core_config().lock_login_credentials_for {
-      if locked_username == "__ALL__"
-        || *locked_username == user.username
-      {
-        return Err(
-          anyhow!("User not allowed to update their username.")
-            .into(),
-        );
-      }
-    }
-    if self.username.is_empty() {
-      return Err(anyhow!("Username cannot be empty.").into());
-    }
-
-    if ObjectId::from_str(&self.username).is_ok() {
-      return Err(
-        anyhow!("Username cannot be valid ObjectId").into(),
-      );
-    }
-
-    let db = db_client();
-    if db
-      .users
-      .find_one(doc! { "username": &self.username })
-      .await
-      .context("Failed to query for existing users")?
-      .is_some()
-    {
-      return Err(anyhow!("Username already taken.").into());
-    }
-    let id = ObjectId::from_str(&user.id)
-      .context("User id not valid ObjectId.")?;
-    db.users
-      .update_one(
-        doc! { "_id": id },
-        doc! { "$set": { "username": self.username } },
-      )
-      .await
-      .context("Failed to update user username on database.")?;
-    Ok(NoData {})
-  }
-}
-
-//
-
-impl Resolve<WriteArgs> for UpdateUserPassword {
-  #[instrument(
-    "UpdateUserPassword",
-    skip_all,
-    fields(operator = user.id)
-  )]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateUserPasswordResponse> {
-    for locked_username in &core_config().lock_login_credentials_for {
-      if locked_username == "__ALL__"
-        || *locked_username == user.username
-      {
-        return Err(
-          anyhow!("User not allowed to update their password.")
-            .into(),
-        );
-      }
-    }
-    db_client().set_user_password(user, &self.password).await?;
-    Ok(NoData {})
-  }
-}
-
-//
-
 impl Resolve<WriteArgs> for DeleteUser {
   #[instrument(
     "DeleteUser",
@@ -204,22 +181,26 @@ impl Resolve<WriteArgs> for DeleteUser {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<DeleteUserResponse> {
+  ) -> mogh_error::Result<DeleteUserResponse> {
     if !admin.admin {
       return Err(
         anyhow!("This method is admin-only.")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
+
     if admin.username == self.user || admin.id == self.user {
       return Err(anyhow!("User cannot delete themselves.").into());
     }
+
     let query = if let Ok(id) = ObjectId::from_str(&self.user) {
       doc! { "_id": id }
     } else {
       doc! { "username": self.user }
     };
+
     let db = db_client();
+
     let Some(user) = db
       .users
       .find_one(query.clone())
@@ -230,21 +211,25 @@ impl Resolve<WriteArgs> for DeleteUser {
         anyhow!("No user found with given id / username").into(),
       );
     };
+
     if user.super_admin {
       return Err(
         anyhow!("Cannot delete a super admin user.").into(),
       );
     }
+
     if user.admin && !admin.super_admin {
       return Err(
         anyhow!("Only a Super Admin can delete an admin user.")
           .into(),
       );
     }
+
     db.users
       .delete_one(query)
       .await
       .context("Failed to delete user from database")?;
+
     // Also remove user id from all user groups
     if let Err(e) = db
       .user_groups
@@ -253,6 +238,7 @@ impl Resolve<WriteArgs> for DeleteUser {
     {
       warn!("Failed to remove deleted user from user groups | {e:?}");
     };
+
     Ok(user)
   }
 }

bin/core/src/api/write/user_group.rs

@@ -10,9 +10,9 @@ use komodo_client::{
   api::write::*,
   entities::{komodo_timestamp, user_group::UserGroup},
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::state::db_client;
 
@@ -30,7 +30,7 @@ impl Resolve<WriteArgs> for CreateUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -76,7 +76,7 @@ impl Resolve<WriteArgs> for RenameUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -112,7 +112,7 @@ impl Resolve<WriteArgs> for DeleteUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -156,7 +156,7 @@ impl Resolve<WriteArgs> for AddUserToUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -211,7 +211,7 @@ impl Resolve<WriteArgs> for RemoveUserFromUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -266,7 +266,7 @@ impl Resolve<WriteArgs> for SetUsersInUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")
@@ -324,7 +324,7 @@ impl Resolve<WriteArgs> for SetEveryoneUserGroup {
   async fn resolve(
     self,
     WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UserGroup> {
+  ) -> mogh_error::Result<UserGroup> {
     if !admin.admin {
       return Err(
         anyhow!("This call is admin only")

bin/core/src/api/write/variable.rs

@@ -4,14 +4,15 @@ use komodo_client::{
   api::write::*,
   entities::{Operation, ResourceTarget, variable::Variable},
 };
+use mogh_error::{AddStatusCode as _, AddStatusCodeError};
+use mogh_resolver::Resolve;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 
 use crate::{
   helpers::{
     query::get_variable,
     update::{add_update, make_update},
+    validations::{validate_variable_name, validate_variable_value},
   },
   state::db_client,
 };
@@ -32,10 +33,10 @@ impl Resolve<WriteArgs> for CreateVariable {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateVariableResponse> {
+  ) -> mogh_error::Result<CreateVariableResponse> {
     if !user.admin {
       return Err(
-        anyhow!("Only admins can create variables")
+        anyhow!("Only Admins can create Variables")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
@@ -47,6 +48,11 @@ impl Resolve<WriteArgs> for CreateVariable {
       is_secret,
     } = self;
 
+    validate_variable_name(&name)
+      .status_code(StatusCode::BAD_REQUEST)?;
+    validate_variable_value(&value)
+      .status_code(StatusCode::BAD_REQUEST)?;
+
     let variable = Variable {
       name,
       value,
@@ -58,7 +64,7 @@ impl Resolve<WriteArgs> for CreateVariable {
       .variables
       .insert_one(&variable)
       .await
-      .context("Failed to create variable on db")?;
+      .context("Failed to create Variable on db")?;
 
     let mut update = make_update(
       ResourceTarget::system(),
@@ -67,7 +73,8 @@ impl Resolve<WriteArgs> for CreateVariable {
     );
 
     update
-      .push_simple_log("create variable", format!("{variable:#?}"));
+      .push_simple_log("Create Variable", format!("{variable:#?}"));
+
     update.finalize();
 
     add_update(update).await?;
@@ -88,16 +95,21 @@ impl Resolve<WriteArgs> for UpdateVariableValue {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateVariableValueResponse> {
+  ) -> mogh_error::Result<UpdateVariableValueResponse> {
     if !user.admin {
       return Err(
-        anyhow!("Only admins can update variables")
+        anyhow!("Only Admins can update Variables")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
 
     let UpdateVariableValue { name, value } = self;
 
+    validate_variable_name(&name)
+      .status_code(StatusCode::BAD_REQUEST)?;
+    validate_variable_value(&value)
+      .status_code(StatusCode::BAD_REQUEST)?;
+
     let variable = get_variable(&name).await?;
 
     if value == variable.value {
@@ -153,13 +165,14 @@ impl Resolve<WriteArgs> for UpdateVariableDescription {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateVariableDescriptionResponse> {
+  ) -> mogh_error::Result<UpdateVariableDescriptionResponse> {
     if !user.admin {
       return Err(
-        anyhow!("Only admins can update variables")
+        anyhow!("Only Admins can update Variables")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
+
     db_client()
       .variables
       .update_one(
@@ -168,6 +181,7 @@ impl Resolve<WriteArgs> for UpdateVariableDescription {
       )
       .await
       .context("Failed to update variable description on db")?;
+
     Ok(get_variable(&self.name).await?)
   }
 }
@@ -185,13 +199,14 @@ impl Resolve<WriteArgs> for UpdateVariableIsSecret {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateVariableIsSecretResponse> {
+  ) -> mogh_error::Result<UpdateVariableIsSecretResponse> {
     if !user.admin {
       return Err(
-        anyhow!("Only admins can update variables")
+        anyhow!("Only Admins can update Variables")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
+
     db_client()
       .variables
       .update_one(
@@ -199,7 +214,8 @@ impl Resolve<WriteArgs> for UpdateVariableIsSecret {
         doc! { "$set": { "is_secret": self.is_secret } },
       )
       .await
-      .context("Failed to update variable is secret on db")?;
+      .context("Failed to update Variable 'is_secret' on db")?;
+
     Ok(get_variable(&self.name).await?)
   }
 }
@@ -216,19 +232,21 @@ impl Resolve<WriteArgs> for DeleteVariable {
   async fn resolve(
     self,
     WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteVariableResponse> {
+  ) -> mogh_error::Result<DeleteVariableResponse> {
     if !user.admin {
       return Err(
-        anyhow!("Only admins can delete variables")
+        anyhow!("Only Admins can delete Variables")
           .status_code(StatusCode::FORBIDDEN),
       );
     }
+
     let variable = get_variable(&self.name).await?;
+
     db_client()
       .variables
       .delete_one(doc! { "name": &self.name })
       .await
-      .context("Failed to delete variable on db")?;
+      .context("Failed to delete Variable on db")?;
 
     let mut update = make_update(
       ResourceTarget::system(),

bin/core/src/api/ws/mod.rs

@@ -0,0 +1,100 @@
+use std::net::IpAddr;
+
+use anyhow::{Context, anyhow};
+use axum::{
+  Router,
+  extract::ws::{self, WebSocket},
+  routing::get,
+};
+use komodo_client::{entities::user::User, ws::WsLoginMessage};
+use mogh_error::{AddStatusCode, AddStatusCodeError};
+use mogh_rate_limit::WithFailureRateLimit;
+use reqwest::StatusCode;
+
+use crate::{
+  auth::{
+    GENERAL_RATE_LIMITER,
+    middleware::{
+      auth_api_key_check_enabled, auth_jwt_check_enabled,
+    },
+  },
+  helpers::query::get_user,
+};
+
+mod terminal;
+mod update;
+
+pub fn router() -> Router {
+  Router::new()
+    // Periphery facing
+    .route("/periphery", get(crate::connection::server::handler))
+    // User facing
+    .route("/update", get(update::handler))
+    .route("/terminal", get(terminal::handler))
+}
+
+async fn user_ws_login(
+  mut socket: WebSocket,
+  ip: IpAddr,
+) -> Option<(WebSocket, User)> {
+  let res = async {
+    let message = match socket
+      .recv()
+      .await
+      .context("Failed to receive message over socket: Closed")
+      .status_code(StatusCode::BAD_REQUEST)?
+      .context("Failed to recieve message over socket: Error")
+      .status_code(StatusCode::BAD_REQUEST)?
+    {
+      ws::Message::Text(utf8_bytes) => utf8_bytes.to_string(),
+      ws::Message::Binary(bytes) => String::from_utf8(bytes.into())
+        .context("Received invalid message bytes: Not UTF-8")
+        .status_code(StatusCode::BAD_REQUEST)?,
+      message => {
+        return Err(
+          anyhow!("Received invalid message: {message:?}")
+            .status_code(StatusCode::BAD_REQUEST),
+        );
+      }
+    };
+
+    match WsLoginMessage::from_json_str(&message)
+      .context("Invalid login message")
+      .status_code(StatusCode::BAD_REQUEST)?
+    {
+      WsLoginMessage::Jwt { jwt } => auth_jwt_check_enabled(&jwt)
+        .await
+        .status_code(StatusCode::UNAUTHORIZED),
+      WsLoginMessage::ApiKeys { key, secret } => {
+        auth_api_key_check_enabled(&key, &secret)
+          .await
+          .status_code(StatusCode::UNAUTHORIZED)
+      }
+    }
+  }
+  .with_failure_rate_limit_using_ip(&GENERAL_RATE_LIMITER, &ip)
+  .await;
+  match res {
+    Ok(user) => {
+      let _ = socket.send(ws::Message::text("LOGGED_IN")).await;
+      Some((socket, user))
+    }
+    Err(e) => {
+      let _ = socket
+        .send(ws::Message::text(format!(
+          "[{}]: {:#}",
+          e.status, e.error
+        )))
+        .await;
+      None
+    }
+  }
+}
+
+async fn check_user_valid(user_id: &str) -> anyhow::Result<User> {
+  let user = get_user(user_id).await?;
+  if !user.enabled {
+    return Err(anyhow!("User not enabled"));
+  }
+  Ok(user)
+}

bin/core/src/api/ws/terminal.rs

@@ -9,6 +9,7 @@ use futures_util::{SinkExt, StreamExt as _};
 use komodo_client::{
   api::terminal::ConnectTerminalQuery, entities::user::User,
 };
+use mogh_auth_server::request_ip::RequestIp;
 use periphery_client::api::terminal::DisconnectTerminal;
 use serde::de::DeserializeOwned;
 use tokio_util::sync::CancellationToken;
@@ -21,12 +22,13 @@ use crate::{
 
 #[instrument("ConnectTerminal", skip(ws))]
 pub async fn handler(
+  RequestIp(ip): RequestIp,
   Qs(query): Qs<ConnectTerminalQuery>,
   ws: WebSocketUpgrade,
 ) -> impl IntoResponse {
-  ws.on_upgrade(|socket| async move {
+  ws.on_upgrade(move |socket| async move {
     let Some((mut client_socket, user)) =
-      super::user_ws_login(socket).await
+      super::user_ws_login(socket, ip).await
     else {
       return;
     };

bin/core/src/api/ws/update.rs

@@ -7,8 +7,9 @@ use futures_util::{SinkExt, StreamExt};
 use komodo_client::entities::{
   ResourceTarget, permission::PermissionLevel, user::User,
 };
+use mogh_auth_server::request_ip::RequestIp;
+use mogh_error::serialize_error;
 use serde_json::json;
-use serror::serialize_error;
 use tokio::select;
 use tokio_util::sync::CancellationToken;
 
@@ -16,17 +17,22 @@ use crate::helpers::{
   channel::update_channel, query::get_user_permission_on_target,
 };
 
-pub async fn handler(ws: WebSocketUpgrade) -> impl IntoResponse {
+pub async fn handler(
+  RequestIp(ip): RequestIp,
+  ws: WebSocketUpgrade,
+) -> impl IntoResponse {
   // get a reveiver for internal update messages.
   let mut receiver = update_channel().receiver.resubscribe();
 
   // handle http -> ws updgrade
-  ws.on_upgrade(|socket| async move {
-    let Some((socket, user)) = super::user_ws_login(socket).await else {
-      return
+  ws.on_upgrade(move |socket| async move {
+    let Some((client_socket, user)) =
+      super::user_ws_login(socket,  ip).await
+    else {
+      return;
     };
 
-    let (mut ws_sender, mut ws_reciever) = socket.split();
+    let (mut ws_sender, mut ws_reciever) = client_socket.split();
 
     let cancel = CancellationToken::new();
     let cancel_clone = cancel.clone();

bin/core/src/auth/api_key.rs

@@ -0,0 +1,39 @@
+use anyhow::Context as _;
+use database::bson::doc;
+use komodo_client::entities::{api_key::ApiKey, komodo_timestamp};
+use mogh_auth_client::api::manage::CreateApiKey;
+
+use crate::state::db_client;
+
+pub async fn create_api_key(
+  user_id: String,
+  CreateApiKey { name, expires }: CreateApiKey,
+  key: String,
+  hashed_secret: String,
+) -> anyhow::Result<()> {
+  let api_key = ApiKey {
+    name,
+    key,
+    secret: hashed_secret,
+    user_id,
+    created_at: komodo_timestamp(),
+    expires: expires as i64,
+  };
+
+  db_client()
+    .api_keys
+    .insert_one(api_key)
+    .await
+    .context("Failed to create api key on database")?;
+
+  Ok(())
+}
+
+pub async fn delete_api_key(key: &str) -> anyhow::Result<()> {
+  db_client()
+    .api_keys
+    .delete_one(doc! { "key": key })
+    .await
+    .context("Failed to delete api key from database")?;
+  Ok(())
+}

bin/core/src/auth/github/client.rs

@@ -1,228 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::{Context, anyhow};
-use komodo_client::entities::{
-  config::core::{CoreConfig, OauthCredentials},
-  random_string,
-};
-use reqwest::StatusCode;
-use serde::{Deserialize, Serialize, de::DeserializeOwned};
-use tokio::sync::Mutex;
-
-use crate::{auth::STATE_PREFIX_LENGTH, config::core_config};
-
-pub fn github_oauth_client() -> &'static Option<GithubOauthClient> {
-  static GITHUB_OAUTH_CLIENT: OnceLock<Option<GithubOauthClient>> =
-    OnceLock::new();
-  GITHUB_OAUTH_CLIENT
-    .get_or_init(|| GithubOauthClient::new(core_config()))
-}
-
-pub struct GithubOauthClient {
-  http: reqwest::Client,
-  client_id: String,
-  client_secret: String,
-  redirect_uri: String,
-  scopes: String,
-  states: Mutex<Vec<String>>,
-  user_agent: String,
-}
-
-impl GithubOauthClient {
-  pub fn new(
-    CoreConfig {
-      github_oauth:
-        OauthCredentials {
-          enabled,
-          id,
-          secret,
-        },
-      host,
-      ..
-    }: &CoreConfig,
-  ) -> Option<GithubOauthClient> {
-    if !enabled {
-      return None;
-    }
-    if host.is_empty() {
-      warn!(
-        "github oauth is enabled, but 'config.host' is not configured"
-      );
-      return None;
-    }
-    if id.is_empty() {
-      warn!(
-        "github oauth is enabled, but 'config.github_oauth.id' is not configured"
-      );
-      return None;
-    }
-    if secret.is_empty() {
-      warn!(
-        "github oauth is enabled, but 'config.github_oauth.secret' is not configured"
-      );
-      return None;
-    }
-    GithubOauthClient {
-      http: reqwest::Client::new(),
-      client_id: id.clone(),
-      client_secret: secret.clone(),
-      redirect_uri: format!("{host}/auth/github/callback"),
-      user_agent: Default::default(),
-      scopes: Default::default(),
-      states: Default::default(),
-    }
-    .into()
-  }
-
-  pub async fn get_login_redirect_url(
-    &self,
-    redirect: Option<String>,
-  ) -> String {
-    let state_prefix = random_string(STATE_PREFIX_LENGTH);
-    let state = match redirect {
-      Some(redirect) => format!("{state_prefix}{redirect}"),
-      None => state_prefix,
-    };
-    let redirect_url = format!(
-      "https://github.com/login/oauth/authorize?state={state}&client_id={}&redirect_uri={}&scope={}",
-      self.client_id, self.redirect_uri, self.scopes
-    );
-    let mut states = self.states.lock().await;
-    states.push(state);
-    redirect_url
-  }
-
-  pub async fn check_state(&self, state: &str) -> bool {
-    let mut contained = false;
-    self.states.lock().await.retain(|s| {
-      if s.as_str() == state {
-        contained = true;
-        false
-      } else {
-        true
-      }
-    });
-    contained
-  }
-
-  pub async fn get_access_token(
-    &self,
-    code: &str,
-  ) -> anyhow::Result<AccessTokenResponse> {
-    self
-      .post::<(), _>(
-        "https://github.com/login/oauth/access_token",
-        &[
-          ("client_id", self.client_id.as_str()),
-          ("client_secret", self.client_secret.as_str()),
-          ("redirect_uri", self.redirect_uri.as_str()),
-          ("code", code),
-        ],
-        None,
-        None,
-      )
-      .await
-      .context("failed to get github access token using code")
-  }
-
-  pub async fn get_github_user(
-    &self,
-    token: &str,
-  ) -> anyhow::Result<GithubUserResponse> {
-    self
-      .get("https://api.github.com/user", &[], Some(token))
-      .await
-      .context("failed to get github user using access token")
-  }
-
-  async fn get<R: DeserializeOwned>(
-    &self,
-    endpoint: &str,
-    query: &[(&str, &str)],
-    bearer_token: Option<&str>,
-  ) -> anyhow::Result<R> {
-    let mut req = self
-      .http
-      .get(endpoint)
-      .query(query)
-      .header("User-Agent", &self.user_agent);
-
-    if let Some(bearer_token) = bearer_token {
-      req =
-        req.header("Authorization", format!("Bearer {bearer_token}"));
-    }
-
-    let res = req.send().await.context("failed to reach github")?;
-
-    let status = res.status();
-
-    if status == StatusCode::OK {
-      let body = res
-        .json()
-        .await
-        .context("failed to parse body into expected type")?;
-      Ok(body)
-    } else {
-      let text = res.text().await.context(format!(
-        "status: {status} | failed to get response text"
-      ))?;
-      Err(anyhow!("status: {status} | text: {text}"))
-    }
-  }
-
-  async fn post<B: Serialize, R: DeserializeOwned>(
-    &self,
-    endpoint: &str,
-    query: &[(&str, &str)],
-    body: Option<&B>,
-    bearer_token: Option<&str>,
-  ) -> anyhow::Result<R> {
-    let mut req = self
-      .http
-      .post(endpoint)
-      .query(query)
-      .header("Accept", "application/json")
-      .header("User-Agent", &self.user_agent);
-
-    if let Some(body) = body {
-      req = req.json(body);
-    }
-
-    if let Some(bearer_token) = bearer_token {
-      req =
-        req.header("Authorization", format!("Bearer {bearer_token}"));
-    }
-
-    let res = req.send().await.context("failed to reach github")?;
-
-    let status = res.status();
-
-    if status == StatusCode::OK {
-      let body = res
-        .json()
-        .await
-        .context("failed to parse POST body into expected type")?;
-      Ok(body)
-    } else {
-      let text = res.text().await.with_context(|| format!(
-        "method: POST | status: {status} | failed to get response text"
-      ))?;
-      Err(anyhow!("method: POST | status: {status} | text: {text}"))
-    }
-  }
-}
-
-#[derive(Deserialize)]
-pub struct AccessTokenResponse {
-  pub access_token: String,
-  // pub scope: String,
-  // pub token_type: String,
-}
-
-#[derive(Deserialize)]
-pub struct GithubUserResponse {
-  pub login: String,
-  pub id: u128,
-  pub avatar_url: String,
-  // pub email: Option<String>,
-}

bin/core/src/auth/github/mod.rs

@@ -1,138 +0,0 @@
-use anyhow::{Context, anyhow};
-use axum::{
-  Router, extract::Query, response::Redirect, routing::get,
-};
-use database::mongo_indexed::Document;
-use database::mungos::mongodb::bson::doc;
-use komodo_client::entities::{
-  komodo_timestamp, random_string,
-  user::{User, UserConfig},
-};
-use reqwest::StatusCode;
-use serde::Deserialize;
-use serror::AddStatusCode;
-
-use crate::{
-  config::core_config,
-  state::{db_client, jwt_client},
-};
-
-use self::client::github_oauth_client;
-
-use super::{RedirectQuery, STATE_PREFIX_LENGTH};
-
-pub mod client;
-
-pub fn router() -> Router {
-  Router::new()
-    .route(
-      "/login",
-      get(|Query(query): Query<RedirectQuery>| async {
-        Redirect::to(
-          &github_oauth_client()
-            .as_ref()
-            // OK: the router is only mounted in case that the client is populated
-            .unwrap()
-            .get_login_redirect_url(query.redirect)
-            .await,
-        )
-      }),
-    )
-    .route(
-      "/callback",
-      get(|query| async {
-        callback(query).await.status_code(StatusCode::UNAUTHORIZED)
-      }),
-    )
-}
-
-#[derive(Debug, Deserialize)]
-struct CallbackQuery {
-  state: String,
-  code: String,
-}
-
-async fn callback(
-  Query(query): Query<CallbackQuery>,
-) -> anyhow::Result<Redirect> {
-  let client = github_oauth_client().as_ref().unwrap();
-  if !client.check_state(&query.state).await {
-    return Err(anyhow!("state mismatch"));
-  }
-  let token = client.get_access_token(&query.code).await?;
-  let github_user =
-    client.get_github_user(&token.access_token).await?;
-  let github_id = github_user.id.to_string();
-  let db_client = db_client();
-  let user = db_client
-    .users
-    .find_one(doc! { "config.data.github_id": &github_id })
-    .await
-    .context("failed at find user query from database")?;
-  let jwt = match user {
-    Some(user) => jwt_client()
-      .encode(user.id)
-      .context("failed to generate jwt")?,
-    None => {
-      let ts = komodo_timestamp();
-      let no_users_exist =
-        db_client.users.find_one(Document::new()).await?.is_none();
-      let core_config = core_config();
-      if !no_users_exist && core_config.disable_user_registration {
-        return Err(anyhow!("User registration is disabled"));
-      }
-
-      let mut username = github_user.login;
-      // Modify username if it already exists
-      if db_client
-        .users
-        .find_one(doc! { "username": &username })
-        .await
-        .context("Failed to query users collection")?
-        .is_some()
-      {
-        username += "-";
-        username += &random_string(5);
-      };
-
-      let user = User {
-        id: Default::default(),
-        username,
-        enabled: no_users_exist || core_config.enable_new_users,
-        admin: no_users_exist,
-        super_admin: no_users_exist,
-        create_server_permissions: no_users_exist,
-        create_build_permissions: no_users_exist,
-        updated_at: ts,
-        last_update_view: 0,
-        recents: Default::default(),
-        all: Default::default(),
-        config: UserConfig::Github {
-          github_id,
-          avatar: github_user.avatar_url,
-        },
-      };
-      let user_id = db_client
-        .users
-        .insert_one(user)
-        .await
-        .context("failed to create user on mongo")?
-        .inserted_id
-        .as_object_id()
-        .context("inserted_id is not ObjectId")?
-        .to_string();
-      jwt_client()
-        .encode(user_id)
-        .context("failed to generate jwt")?
-    }
-  };
-  let exchange_token = jwt_client().create_exchange_token(jwt).await;
-  let redirect = &query.state[STATE_PREFIX_LENGTH..];
-  let redirect_url = if redirect.is_empty() {
-    format!("{}?token={exchange_token}", core_config().host)
-  } else {
-    let splitter = if redirect.contains('?') { '&' } else { '?' };
-    format!("{redirect}{splitter}token={exchange_token}")
-  };
-  Ok(Redirect::to(&redirect_url))
-}

bin/core/src/auth/google/client.rs

@@ -1,198 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::{Context, anyhow};
-use jsonwebtoken::dangerous::insecure_decode;
-use komodo_client::entities::{
-  config::core::{CoreConfig, OauthCredentials},
-  random_string,
-};
-use reqwest::StatusCode;
-use serde::{Deserialize, de::DeserializeOwned};
-use tokio::sync::Mutex;
-
-use crate::{auth::STATE_PREFIX_LENGTH, config::core_config};
-
-pub fn google_oauth_client() -> &'static Option<GoogleOauthClient> {
-  static GOOGLE_OAUTH_CLIENT: OnceLock<Option<GoogleOauthClient>> =
-    OnceLock::new();
-  GOOGLE_OAUTH_CLIENT
-    .get_or_init(|| GoogleOauthClient::new(core_config()))
-}
-
-pub struct GoogleOauthClient {
-  http: reqwest::Client,
-  client_id: String,
-  client_secret: String,
-  redirect_uri: String,
-  scopes: String,
-  states: Mutex<Vec<String>>,
-  user_agent: String,
-}
-
-impl GoogleOauthClient {
-  pub fn new(
-    CoreConfig {
-      google_oauth:
-        OauthCredentials {
-          enabled,
-          id,
-          secret,
-        },
-      host,
-      ..
-    }: &CoreConfig,
-  ) -> Option<GoogleOauthClient> {
-    if !enabled {
-      return None;
-    }
-    if host.is_empty() {
-      warn!(
-        "google oauth is enabled, but 'config.host' is not configured"
-      );
-      return None;
-    }
-    if id.is_empty() {
-      warn!(
-        "google oauth is enabled, but 'config.google_oauth.id' is not configured"
-      );
-      return None;
-    }
-    if secret.is_empty() {
-      warn!(
-        "google oauth is enabled, but 'config.google_oauth.secret' is not configured"
-      );
-      return None;
-    }
-    let scopes = urlencoding::encode(
-      &[
-        "https://www.googleapis.com/auth/userinfo.profile",
-        "https://www.googleapis.com/auth/userinfo.email",
-      ]
-      .join(" "),
-    )
-    .to_string();
-    GoogleOauthClient {
-      http: Default::default(),
-      client_id: id.clone(),
-      client_secret: secret.clone(),
-      redirect_uri: format!("{host}/auth/google/callback"),
-      user_agent: String::from("komodo"),
-      states: Default::default(),
-      scopes,
-    }
-    .into()
-  }
-
-  pub async fn get_login_redirect_url(
-    &self,
-    redirect: Option<String>,
-  ) -> String {
-    let state_prefix = random_string(STATE_PREFIX_LENGTH);
-    let state = match redirect {
-      Some(redirect) => format!("{state_prefix}{redirect}"),
-      None => state_prefix,
-    };
-    let redirect_url = format!(
-      "https://accounts.google.com/o/oauth2/v2/auth?response_type=code&state={state}&client_id={}&redirect_uri={}&scope={}",
-      self.client_id, self.redirect_uri, self.scopes
-    );
-    let mut states = self.states.lock().await;
-    states.push(state);
-    redirect_url
-  }
-
-  pub async fn check_state(&self, state: &str) -> bool {
-    let mut contained = false;
-    self.states.lock().await.retain(|s| {
-      if s.as_str() == state {
-        contained = true;
-        false
-      } else {
-        true
-      }
-    });
-    contained
-  }
-
-  pub async fn get_access_token(
-    &self,
-    code: &str,
-  ) -> anyhow::Result<AccessTokenResponse> {
-    self
-      .post::<_>(
-        "https://oauth2.googleapis.com/token",
-        &[
-          ("client_id", self.client_id.as_str()),
-          ("client_secret", self.client_secret.as_str()),
-          ("redirect_uri", self.redirect_uri.as_str()),
-          ("code", code),
-          ("grant_type", "authorization_code"),
-        ],
-        None,
-      )
-      .await
-      .context("failed to get google access token using code")
-  }
-
-  pub fn get_google_user(
-    &self,
-    id_token: &str,
-  ) -> anyhow::Result<GoogleUser> {
-    let res = insecure_decode::<GoogleUser>(id_token)
-      .context("failed to decode google id token")?;
-    Ok(res.claims)
-  }
-
-  async fn post<R: DeserializeOwned>(
-    &self,
-    endpoint: &str,
-    body: &[(&str, &str)],
-    bearer_token: Option<&str>,
-  ) -> anyhow::Result<R> {
-    let mut req = self
-      .http
-      .post(endpoint)
-      .form(body)
-      .header("Accept", "application/json")
-      .header("User-Agent", &self.user_agent);
-
-    if let Some(bearer_token) = bearer_token {
-      req =
-        req.header("Authorization", format!("Bearer {bearer_token}"));
-    }
-
-    let res = req.send().await.context("failed to reach google")?;
-
-    let status = res.status();
-
-    if status == StatusCode::OK {
-      let body = res
-        .json()
-        .await
-        .context("failed to parse POST body into expected type")?;
-      Ok(body)
-    } else {
-      let text = res.text().await.context(format!(
-        "method: POST | status: {status} | failed to get response text"
-      ))?;
-      Err(anyhow!("method: POST | status: {status} | text: {text}"))
-    }
-  }
-}
-
-#[derive(Deserialize)]
-pub struct AccessTokenResponse {
-  // pub access_token: String,
-  pub id_token: String,
-  // pub scope: String,
-  // pub token_type: String,
-}
-
-#[derive(Deserialize, Clone)]
-pub struct GoogleUser {
-  #[serde(rename = "sub")]
-  pub id: String,
-  pub email: String,
-  #[serde(default)]
-  pub picture: String,
-}