Artifact publishing foundations (slug, artifacts table, DNS + Caddy TLS)#52
Open
obaid wants to merge 1 commit into
Open
Artifact publishing foundations (slug, artifacts table, DNS + Caddy TLS)#52obaid wants to merge 1 commit into
obaid wants to merge 1 commit into
Conversation
…addy TLS
Groundwork for serving agent-published web artifacts at
{agent.slug}.provisionagents.com. No publishing yet — that's the next PR.
- agents.slug: globally-unique subdomain key (handle is only unique per team),
generated on create and backfilled for existing agents.
- agent_artifacts table + model + enums (static|app, public|gated).
- CloudflareDnsService: idempotent A-record create/repoint/delete for an
agent's subdomain, DNS-only so Caddy can do HTTP-01. Gated by config
(CLOUDFLARE_API_TOKEN / CLOUDFLARE_ZONE_ID / ARTIFACT_DOMAIN).
- Caddy: server setup now writes a global on_demand_tls block (gated by a new
GET /api/caddy/ask endpoint that only allows hosts with a live artifact) and
imports per-agent site blocks from /etc/caddy/sites; the sslip.io host keeps
its path-based conf.d snippets.
Tests cover slug uniqueness, the DNS client (mocked), the ask endpoint, and the
Caddyfile output. Full suite green.
This was referenced Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feature 1, PR 1 of ~5. Foundations only — no publishing happens yet. Sets up the irreversible/infra pieces the rest builds on so they can be reviewed in isolation.
Recap of the agreed design: agents publish web artifacts (static or running apps) to a per-agent subdomain
{agent.slug}.provisionagents.com, each artifact public or gated.What's in this PR
agents.slughandleis only unique per team). Generated on create, backfilled for existing agents.agent_artifactstype(static|app),visibility(public|gated), source dir / start command / port, status, public_url.CloudflareDnsServiceon_demand_tlsblock gated by a newGET /api/caddy/askendpoint that only returns 200 for hosts mapping to a live artifact — prevents open-ended cert issuance. Per-agent site blocks import from/etc/caddy/sites; the sslip.io host keeps its path-basedconf.dsnippets.Config (set on Forge before it goes live)
CLOUDFLARE_API_TOKEN(Zone.DNS edit),CLOUDFLARE_ZONE_ID,ARTIFACT_DOMAIN=provisionagents.com. Until set,CloudflareDnsService::isConfigured()is false and nothing DNS-related runs.Tests
tests/Feature/Artifacts/— slug uniqueness + subdomain helper, the DNS client (mocked HTTP: create/idempotent/repoint/delete/unconfigured), the ask endpoint (live vs pending vs unknown vs off-domain), and the Caddyfile output. Full suite green (736 passed).Next PRs
agents.slugand backfills it — safe, but it's a write over every agent row.