trydirect · vsilent · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/.sqlx/query-32d118e607db4364979c52831e0c30a215779928a041ef51e93383e93288aac2.json b/.sqlx/query-32d118e607db4364979c52831e0c30a215779928a041ef51e93383e93288aac2.json
diff --git a/...1dfcb0e7769f0333d2acf7d6e0fb97ca12dc.json → ...149b736702a008e920373c139d5cc8f228a5.json b/...1dfcb0e7769f0333d2acf7d6e0fb97ca12dc.json → ...149b736702a008e920373c139d5cc8f228a5.json
diff --git a/.sqlx/query-b8296183bd28695d3a7574e57db445dc1f4b2d659a3805f92f6f5f83b562266b.json b/.sqlx/query-b8296183bd28695d3a7574e57db445dc1f4b2d659a3805f92f6f5f83b562266b.json
diff --git a/...4df13c46ef2eb373398a535090edf738cb5a.json → ...5cc601af9ca4a06bd87100cd68a251431618.json b/...4df13c46ef2eb373398a535090edf738cb5a.json → ...5cc601af9ca4a06bd87100cd68a251431618.json
diff --git a/migrations/20260306120000_add_cloud_name.down.sql b/migrations/20260306120000_add_cloud_name.down.sql
@@ -0,0 +1,2 @@
+DROP INDEX IF EXISTS idx_cloud_user_name;
+ALTER TABLE cloud DROP COLUMN IF EXISTS name;
diff --git a/migrations/20260306120000_add_cloud_name.up.sql b/migrations/20260306120000_add_cloud_name.up.sql
@@ -0,0 +1,12 @@
+-- Add a human-friendly name to cloud credentials so users can reference them
+-- by name (e.g. `stacker deploy --key my-hetzner`) instead of by provider.
+ALTER TABLE cloud ADD COLUMN name VARCHAR(100);
+
+-- Backfill existing rows: default name = "{provider}-{id}" (e.g. "htz-4")
+UPDATE cloud SET name = provider || '-' || id WHERE name IS NULL;
+
+-- Make name NOT NULL after backfill
+ALTER TABLE cloud ALTER COLUMN name SET NOT NULL;
+
+-- Unique per user: a user can't have two cloud keys with the same name
+CREATE UNIQUE INDEX idx_cloud_user_name ON cloud (user_id, name);
diff --git a/migrations/20260306190000_casbin_client_role_mapping.down.sql b/migrations/20260306190000_casbin_client_role_mapping.down.sql
@@ -0,0 +1,9 @@
+-- Revert client role Casbin mappings
+DELETE FROM public.casbin_rule WHERE ptype = 'g' AND v0 = 'client' AND v1 = 'group_anonymous';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/api/v1/agent/register' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/api/v1/agent/commands/wait/:deployment_hash' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/api/v1/agent/commands/report' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/project/:id/deploy' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/project/:id/deploy/:cloud_id' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/project/:id/compose' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'client' AND v1 = '/project/:id/compose' AND v2 = 'POST';
diff --git a/migrations/20260306190000_casbin_client_role_mapping.up.sql b/migrations/20260306190000_casbin_client_role_mapping.up.sql
@@ -0,0 +1,44 @@
+-- Fix 403 on agent registration when using HMAC auth (client role).
+-- The HMAC middleware now sets subject = "client" (previously was the numeric
+-- client_id which had no Casbin mapping at all).
+-- Ensure the "client" role inherits from group_anonymous (like group_user/group_admin).
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('g', 'client', 'group_anonymous', '', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Safety: ensure agent register is accessible by group_anonymous
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_anonymous', '/api/v1/agent/register', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Safety: ensure client has explicit access to agent register
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/api/v1/agent/register', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Grant client access to other agent endpoints (wait, report, enqueue)
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/api/v1/agent/commands/wait/:deployment_hash', 'GET', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/api/v1/agent/commands/report', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Grant client access to deploy-related endpoints that HMAC clients need
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/project/:id/deploy', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/project/:id/deploy/:cloud_id', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/project/:id/compose', 'GET', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/project/:id/compose', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
diff --git a/src/bin/stacker.rs b/src/bin/stacker.rs
@@ -91,6 +91,9 @@ enum StackerCommands {
         /// Name of saved cloud credential to reuse (overrides deploy.cloud.key in stacker.yml)
         #[arg(long, value_name = "KEY_NAME")]
         key: Option<String>,
+        /// ID of saved cloud credential to reuse (from `stacker list clouds`)
+        #[arg(long, value_name = "CLOUD_ID")]
+        key_id: Option<i32>,
         /// Name of saved server to reuse (overrides deploy.cloud.server in stacker.yml)
         #[arg(long, value_name = "SERVER_NAME")]
         server: Option<String>,
@@ -100,6 +103,12 @@ enum StackerCommands {
         /// Disable automatic progress watching after deploy
         #[arg(long)]
         no_watch: bool,
+        /// Persist server details into stacker.yml after deploy (for redeploy)
+        #[arg(long)]
+        lock: bool,
+        /// Skip server pre-check; force fresh cloud provision even if deploy.server exists
+        #[arg(long)]
+        force_new: bool,
     },
     /// Show container logs
     Logs {
@@ -207,6 +216,12 @@ enum ListCommands {
         #[arg(long)]
         json: bool,
     },
+    /// List saved cloud credentials
+    Clouds {
+        /// Output in JSON format
+        #[arg(long)]
+        json: bool,
+    },
 }
 
 #[derive(Debug, Subcommand)]
@@ -306,6 +321,16 @@ enum ConfigCommands {
         #[arg(long, default_value_t = true)]
         interactive: bool,
     },
+    /// Persist deployment lock into stacker.yml (writes deploy.server from last deploy)
+    Lock {
+        #[arg(long, value_name = "FILE")]
+        file: Option<String>,
+    },
+    /// Remove deploy.server section from stacker.yml (allows fresh cloud provision)
+    Unlock {
+        #[arg(long, value_name = "FILE")]
+        file: Option<String>,
+    },
     /// Guided setup helpers
     Setup {
         #[command(subcommand)]
@@ -500,9 +525,12 @@ fn get_command(
             force_rebuild,
             project,
             key,
+            key_id,
             server,
             watch,
             no_watch,
+            lock,
+            force_new,
         } => Box::new(
             stacker::console::commands::cli::deploy::DeployCommand::new(
                 target,
@@ -511,7 +539,10 @@ fn get_command(
                 force_rebuild,
             )
             .with_remote_overrides(project, key, server)
-            .with_watch(watch, no_watch),
+            .with_key_id(key_id)
+            .with_watch(watch, no_watch)
+            .with_lock(lock)
+            .with_force_new(force_new),
         ),
         StackerCommands::Logs {
             service,
@@ -540,6 +571,12 @@ fn get_command(
             ConfigCommands::Fix { file, interactive } => Box::new(
                 stacker::console::commands::cli::config::ConfigFixCommand::new(file, interactive),
             ),
+            ConfigCommands::Lock { file } => Box::new(
+                stacker::console::commands::cli::config::ConfigLockCommand::new(file),
+            ),
+            ConfigCommands::Unlock { file } => Box::new(
+                stacker::console::commands::cli::config::ConfigUnlockCommand::new(file),
+            ),
             ConfigCommands::Setup { command } => match command {
                 ConfigSetupCommands::Cloud { file } => Box::new(
                     stacker::console::commands::cli::config::ConfigSetupCloudCommand::new(file),
@@ -590,6 +627,9 @@ fn get_command(
             ListCommands::SshKeys { json } => Box::new(
                 stacker::console::commands::cli::list::ListSshKeysCommand::new(json),
             ),
+            ListCommands::Clouds { json } => Box::new(
+                stacker::console::commands::cli::list::ListCloudsCommand::new(json),
+            ),
         },
         StackerCommands::SshKey { command: ssh_cmd } => match ssh_cmd {
             SshKeyCommands::Generate { server_id, save_to } => Box::new(
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		DROP INDEX IF EXISTS idx_cloud_user_name;
		ALTER TABLE cloud DROP COLUMN IF EXISTS name;