feat: Cloud-version support with multi-tenant provisioning, agent connectivity, and workspace management (#30)

* feat: zero-connection startup with PostgreSQL SSL support

Enable graceful application startup without pre-configured database connections
and add SSL support for cloud PostgreSQL deployments.

## Features

- **Zero-Connection Startup**: App starts without DB_HOST set, users add connections via UI
- **PostgreSQL SSL**: New STORAGE_SSL_CA env var supports file paths or URLs (AWS RDS, GCP, Azure)
- **Server Startup Guard**: Frontend waits for backend initialization to prevent race conditions
- **SPA Routing**: Fixed client-side routing on page refresh with proper NestJS architecture
- **Enhanced UX**: Loading states, error boundaries, and helpful guidance for first-time setup

## Technical Changes

- New `waiting` status in health endpoints when no connections configured
- SpaFallbackModule with type-safe Fastify handlers and static file whitelist
- ServerStartupGuard component with progress indicators and timeout handling
- NoConnectionsGuard shows arrow pointing to sidebar connection selector
- Proper timeout cleanup to prevent memory leaks
- SSL certificate fetching with domain whitelist and 10s timeout

## Migration

- Fully backwards compatible - existing DB_HOST configurations work unchanged
- Optional: Set STORAGE_SSL_CA for cloud PostgreSQL requiring SSL
- API docs now at /docs instead of /api/docs

## Fixes

- SPA routing on page refresh in production
- Race condition on server startup
- Memory leak in polling component
- Inconsistent error messaging

* feat: zero-connection startup with PostgreSQL SSL support

Enable graceful application startup without pre-configured database connections
and add SSL support for cloud PostgreSQL deployments.

## Features

- **Zero-Connection Startup**: App starts without DB_HOST set, users add connections via UI
- **PostgreSQL SSL**: New STORAGE_SSL_CA env var supports file paths or URLs (AWS RDS, GCP, Azure)
- **Server Startup Guard**: Frontend waits for backend initialization to prevent race conditions
- **SPA Routing**: Fixed client-side routing on page refresh with proper NestJS architecture
- **Enhanced UX**: Loading states, error boundaries, and helpful guidance for first-time setup

## Technical Changes

- New `waiting` status in health endpoints when no connections configured
- SpaFallbackModule with type-safe Fastify handlers and static file whitelist
- ServerStartupGuard component with progress indicators and timeout handling
- NoConnectionsGuard shows arrow pointing to sidebar connection selector
- Proper timeout cleanup to prevent memory leaks
- SSL certificate fetching with domain whitelist and 10s timeout

## Migration

- Fully backwards compatible - existing DB_HOST configurations work unchanged
- Optional: Set STORAGE_SSL_CA for cloud PostgreSQL requiring SSL
- API docs now at /docs instead of /api/docs

## Fixes

- SPA routing on page refresh in production
- Race condition on server startup
- Memory leak in polling component
- Inconsistent error messaging

* fix: address security issues in SPA routing and SSL certificate handling

Fix SPA fallback broken by global API prefix, prevent subdomain spoofing in SSL CA domain whitelist, and block insecure HTTP URLs for certificate fetching.

* fix: address security issues in SPA routing and SSL certificate handling

Fix SPA fallback broken by global API prefix, prevent subdomain spoofing in SSL CA domain whitelist, and block insecure HTTP URLs for certificate fetching.

* fix: address security issues in SPA routing and SSL certificate handling

Move SPA fallback to Fastify setNotFoundHandler to avoid global prefix conflict, ensure API 404s return JSON not HTML, prevent subdomain spoofing in SSL CA domain validation, and block insecure HTTP URLs for certificate fetching.

* fix: address security issues in SPA routing and SSL certificate handling

Move SPA fallback to Fastify setNotFoundHandler to avoid global prefix conflict, ensure API 404s return JSON not HTML, prevent subdomain spoofing in SSL CA domain validation, and block insecure HTTP URLs for certificate fetching.

* fixed deployed conflict between fastify and nest

* fixed deployed conflict between fastify and nest

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to avoid global prefix conflicts, ensure API 404s return JSON, block insecure HTTP for SSL certificates, prevent subdomain spoofing with proper domain validation, restrict SPA fallback to GET requests only, and update DTOs with 'waiting' status.

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to avoid global prefix conflicts, ensure API 404s return JSON, block insecure HTTP for SSL certificates, prevent subdomain spoofing with proper domain validation, restrict SPA fallback to GET requests only, and update DTOs with 'waiting' status.

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to handle client-side routes correctly, ensure missing API routes return JSON 404, block HTTP for SSL certificates and validate only official CA distribution endpoints (AWS RDS PKI, GCP Cloud SQL, DigiCert), prevent subdomain spoofing with proper domain validation, restrict SPA fallback to GET requests only, exclude HEAD from catch-all to preserve Docker healthchecks, and update DTOs with 'waiting' status.

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to handle client-side routes correctly, ensure missing API routes return JSON 404, block HTTP for SSL certificates and validate only official CA distribution endpoints (AWS RDS PKI, GCP Cloud SQL, DigiCert), prevent subdomain spoofing with proper domain validation, restrict SPA fallback to GET requests only, exclude HEAD from catch-all to preserve Docker healthchecks, and update DTOs with 'waiting' status.

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to handle client-side routes, ensure missing API routes return JSON 404, block HTTP for SSL certificates and validate only official CA endpoints with proper path boundaries (AWS RDS PKI, GCP Cloud SQL with trailing slash, DigiCert), prevent subdomain spoofing, exclude HEAD from catch-all for Docker healthchecks, consolidate publicPath computation to prevent divergence, and update DTOs with 'waiting' status.

* fix: address security issues in SPA routing and SSL certificate handling

Register SPA fallback at Fastify level before NestJS to handle client-side routes, ensure missing API routes return JSON 404, block HTTP for SSL certificates and validate only official CA endpoints with proper path boundaries (AWS RDS PKI, GCP Cloud SQL with trailing slash, DigiCert), prevent subdomain spoofing, exclude HEAD from catch-all for Docker healthchecks, consolidate publicPath computation to prevent divergence, and update DTOs with 'waiting' status.

* fix: redirect follow behavior

* fix: redirect follow behavior

* fix: default config conflicting with new checks for the docker version

* fix: default config conflicting with new checks for the docker version

* version bump

* version bump

* Initial cloud-version setup and provisioning

* cloud-version phase 5A

* Phase 5c

* Phase 5 - testing and polishing

* Workspace management and basic handling

* basic agent for VPC connection

* graceful degradation and network improvements

* added docs about how to connect via agent

* build and deploy for the agent

* refreshing bug for agent conenctions

* terraform added to gitignore

* fix: add RuntimeCapabilityTracker to connection registry test providers

* fix: add RuntimeCapabilityTracker to remaining test provider

* tracking improvements

* fix: address bugbot review issues for cloud-version PR

  - Remove debug || true from isCloudMode prop
  - Separate try/catch for cluster slot stats to avoid disabling canClusterInfo
  - Block commands with subcommand restrictions when args are empty
  - Add .catch() to pool connect handler to prevent unhandled promise rejection
  - Fix Docker env var names (BETTERDB_TOKEN, BETTERDB_CLOUD_URL)
  - Fix npx package name to betterdb-agent

* fix: move agent token to Authorization header, fix slowlog overlay text

  - Send agent WebSocket token via Bearer header instead of URL query param
  - Server falls back to query param for backwards compat with older agents
  - Show "SLOWLOG/COMMANDLOG" in unavailable overlay instead of always SLOWLOG

* fix: prevent shell injection in agent release CI script

  Use process.env.VERSION instead of shell-interpolated $VERSION in node -e

* fix: hide update banner in cloud mode

* fix: generate Prisma client before API tests in CI

* feat: add deploymentMode field to telemetry payload

* version bump1

* build(deps): bump axios from 1.13.2 to 1.13.5 (#21)

Bumps [axios](https://github.com/axios/axios) from 1.13.2 to 1.13.5.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.2...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* version bumps

* fix: include deploymentMode in license_check payload

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: KIvanow

.github/workflows/agent-release.yml

@@ -0,0 +1,132 @@
+# Publish BetterDB Agent — Docker image + npm package
+#
+# Required secrets:
+#   DOCKERHUB_USERNAME — Docker Hub username
+#   DOCKERHUB_TOKEN   — Docker Hub access token
+#   NPM_TOKEN          — npmjs.com automation token
+
+name: Publish Agent
+
+on:
+  push:
+    tags:
+      - 'agent-v*'
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          # agent-v0.1.0 → 0.1.0
+          echo "version=${GITHUB_REF_NAME#agent-v}" >> $GITHUB_OUTPUT
+
+      - name: Update package.json version
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          cd packages/agent
+          node -e "
+            const pkg = require('./package.json');
+            pkg.version = process.env.VERSION;
+            require('fs').writeFileSync('./package.json', JSON.stringify(pkg, null, 2) + '\n');
+          "
+
+      - name: Build agent
+        run: cd packages/agent && pnpm build
+
+      - name: Verify build
+        run: node packages/agent/dist/index.js --help 2>&1 || true
+
+      - name: Prepare for publishing
+        run: |
+          cd packages/agent
+          # Remove workspace dependencies before npm publish
+          node -e "
+            const pkg = require('./package.json');
+            if (pkg.dependencies && pkg.dependencies['@betterdb/shared']) {
+              delete pkg.dependencies['@betterdb/shared'];
+            }
+            if (pkg.devDependencies) {
+              delete pkg.devDependencies;
+            }
+            require('fs').writeFileSync('./package.json', JSON.stringify(pkg, null, 2) + '\n');
+          "
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: cd packages/agent && npm publish --access public
+
+  publish-docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          # agent-v0.1.0 → 0.1.0
+          echo "version=${GITHUB_REF_NAME#agent-v}" >> $GITHUB_OUTPUT
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./packages/agent/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            betterdb/agent:${{ steps.version.outputs.version }}
+            betterdb/agent:latest
+          cache-from: type=gha,scope=agent
+          cache-to: type=gha,mode=max,scope=agent

.github/workflows/api-tests.yml

@@ -36,6 +36,10 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
 
+      - name: Generate Prisma client
+        working-directory: proprietary/entitlement
+        run: pnpm prisma:generate
+
       - name: Run API tests
         working-directory: apps/api
         run: pnpm test

.gitignore

@@ -59,3 +59,11 @@ pnpm-debug.log*
 # OS
 .DS_Store
 Thumbs.db
+
+# Terraform
+.terraform/
+*.tfstate
+*.tfstate.backup
+terraform.tfvars
+*.tfvars
+!*.tfvars.example

apps/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "private": true,
   "scripts": {
     "dev": "ts-node -r tsconfig-paths/register src/main.ts",
@@ -57,8 +57,10 @@
     "better-sqlite3": "^12.5.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.3",
+    "fastify": "^5.7.2",
     "hnswlib-node": "^3.0.0",
     "iovalkey": "^0.3.3",
+    "jsonwebtoken": "^9.0.3",
     "langchain": "^1.2.7",
     "lru-cache": "^11.2.4",
     "ollama": "^0.6.3",
@@ -67,16 +69,19 @@
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
     "semver": "^7.7.3",
+    "ws": "^8.0.0",
     "zod": "^4.3.5"
   },
   "devDependencies": {
     "@nestjs/cli": "^11.0.14",
     "@nestjs/schematics": "^11.0.3",
     "@nestjs/testing": "^11.1.12",
     "@types/jest": "^30.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^22.10.5",
     "@types/pg": "^8.16.0",
     "@types/semver": "^7.7.1",
+    "@types/ws": "^8.0.0",
     "@types/supertest": "^6.0.3",
     "@typescript-eslint/eslint-plugin": "^8.19.1",
     "@typescript-eslint/parser": "^8.19.1",

apps/api/src/app.module.ts

@@ -12,59 +12,85 @@ import { CommandLogAnalyticsModule } from './commandlog-analytics/commandlog-ana
 import { PrometheusModule } from './prometheus/prometheus.module';
 import { SettingsModule } from './settings/settings.module';
 import { WebhooksModule } from './webhooks/webhooks.module';
+import { CloudAuthModule } from './auth/cloud-auth.module';
 
 let AiModule: any = null;
 let LicenseModule: any = null;
 let KeyAnalyticsModule: any = null;
 let AnomalyModule: any = null;
 let WebhookProModule: any = null;
+let AgentModule: any = null;
 
 try {
-  const module = require('@proprietary/ai/ai.module');
+  // Use relative path for runtime resolution (tsconfig paths only work at compile time)
+  const module = require('../../../proprietary/ai/ai.module');
   AiModule = module.AiModule;
   console.log('[AI] Proprietary module loaded');
 } catch {
   // Proprietary module not available
 }
 
 try {
-  const licenseModule = require('@proprietary/license/license.module');
+  const licenseModule = require('../../../proprietary/license/license.module');
   LicenseModule = licenseModule.LicenseModule;
   console.log('[License] Proprietary module loaded');
 } catch {
   // Proprietary module not available
 }
 
 try {
-  const keyAnalyticsModule = require('@proprietary/key-analytics/key-analytics.module');
+  const keyAnalyticsModule = require('../../../proprietary/key-analytics/key-analytics.module');
   KeyAnalyticsModule = keyAnalyticsModule.KeyAnalyticsModule;
   console.log('[KeyAnalytics] Proprietary module loaded');
 } catch {
   // Proprietary module not available
 }
 
 try {
-  const anomalyModule = require('@proprietary/anomaly-detection/anomaly.module');
+  const anomalyModule = require('../../../proprietary/anomaly-detection/anomaly.module');
   AnomalyModule = anomalyModule.AnomalyModule;
   console.log('[AnomalyDetection] Proprietary module loaded');
 } catch {
   // Proprietary module not available
 }
 
 try {
-  const webhookProModule = require('@proprietary/webhook-pro');
+  const webhookProModule = require('../../../proprietary/webhook-pro');
   WebhookProModule = webhookProModule.WebhookProModule;
   console.log('[WebhookPro] Proprietary module loaded');
 } catch {
   // Proprietary module not available
 }
 
+if (process.env.CLOUD_MODE) {
+  try {
+    const agentModule = require('../../../proprietary/agent/agent.module');
+    AgentModule = agentModule.AgentModule;
+    console.log('[Agent] Proprietary module loaded');
+  } catch {
+    // Proprietary module not available
+  }
+}
+
+// Cloud auth module - uses proprietary implementation in cloud mode
+let CloudAuthModuleToUse: any = CloudAuthModule;
+if (process.env.CLOUD_MODE) {
+  try {
+    const proprietaryCloudAuth = require('../../../proprietary/cloud-auth/cloud-auth.module');
+    CloudAuthModuleToUse = proprietaryCloudAuth.ProprietaryCloudAuthModule;
+    console.log('[CloudAuth] Proprietary module loaded');
+  } catch {
+    // Proprietary module not available, use OSS no-op
+  }
+}
+
 const baseImports = [
   ConfigModule,
   ThrottlerModule.forRoot([{
     ttl: 60000, // 60 seconds
     limit: 10000, // Very high default - endpoint-specific limits provide actual rate limiting
   }]),
+  CloudAuthModuleToUse, // Cloud auth (no-op for self-hosted, proprietary for cloud)
   ConnectionsModule, // Must come early - provides ConnectionRegistry globally
   HealthModule,
   MetricsModule,
@@ -83,6 +109,7 @@ const proprietaryImports = [
   AnomalyModule,
   WebhookProModule,
   AiModule,
+  AgentModule,
 ].filter(Boolean);
 
 @Module({

apps/api/src/audit/audit.service.ts

@@ -7,6 +7,7 @@ import { SettingsService } from '../settings/settings.service';
 import { WebhookDispatcherService } from '../webhooks/webhook-dispatcher.service';
 import { MultiConnectionPoller, ConnectionContext } from '../common/services/multi-connection-poller';
 import { ConnectionRegistry } from '../connections/connection-registry.service';
+import { RuntimeCapabilityTracker } from '../connections/runtime-capability-tracker.service';
 
 @Injectable()
 export class AuditService extends MultiConnectionPoller implements OnModuleInit {
@@ -23,6 +24,7 @@ export class AuditService extends MultiConnectionPoller implements OnModuleInit
     private readonly settingsService: SettingsService,
     @Optional() private readonly webhookDispatcher?: WebhookDispatcherService,
     @Optional() @Inject(WEBHOOK_EVENTS_ENTERPRISE_SERVICE) private readonly webhookEventsEnterpriseService?: IWebhookEventsEnterpriseService,
+    private readonly runtimeCapabilityTracker?: RuntimeCapabilityTracker,
   ) {
     super(connectionRegistry);
   }
@@ -50,6 +52,10 @@ export class AuditService extends MultiConnectionPoller implements OnModuleInit
         return;
       }
 
+      if (this.runtimeCapabilityTracker && !this.runtimeCapabilityTracker.isAvailable(ctx.connectionId, 'canAclLog')) {
+        return;
+      }
+
       // Get ACL log entries
       const aclEntries = await ctx.client.getAclLog(100);
 
@@ -165,6 +171,10 @@ export class AuditService extends MultiConnectionPoller implements OnModuleInit
       this.lastSeenTimestamps.set(ctx.connectionId, latestTimestamp);
       this.prometheusService.incrementPollCounter(ctx.connectionId);
     } catch (error) {
+      if (this.runtimeCapabilityTracker?.recordFailure(ctx.connectionId, 'canAclLog', error instanceof Error ? error : String(error))) {
+        this.logger.warn(`ACL log disabled for ${ctx.connectionName} due to blocked command`);
+        return;
+      }
       this.logger.error(`Error polling ACL log for ${ctx.connectionName}: ${error instanceof Error ? error.message : 'Unknown error'}`);
       throw error;
     } finally {

apps/api/src/auth/auth.controller.ts

@@ -0,0 +1,11 @@
+import { Controller, Get, Query, Res } from '@nestjs/common';
+import { FastifyReply } from 'fastify';
+
+@Controller('auth')
+export class AuthCallbackController {
+  @Get('callback')
+  handleCallback(@Query('token') token: string, @Res() reply: FastifyReply) {
+    // OSS: no-op, just redirect to root
+    reply.redirect('/');
+  }
+}

apps/api/src/auth/cloud-auth.guard.ts

@@ -0,0 +1,12 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+
+/**
+ * No-op cloud auth guard for self-hosted deployments.
+ * In cloud mode, the proprietary implementation replaces this.
+ */
+@Injectable()
+export class CloudAuthGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    return true; // Self-hosted: no auth required
+  }
+}

apps/api/src/auth/cloud-auth.module.ts

@@ -0,0 +1,16 @@
+import { Module, Global } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { CloudAuthGuard } from './cloud-auth.guard';
+import { AuthCallbackController } from './auth.controller';
+
+@Global()
+@Module({
+  controllers: [AuthCallbackController],
+  providers: [
+    {
+      provide: APP_GUARD,
+      useClass: CloudAuthGuard,
+    },
+  ],
+})
+export class CloudAuthModule { }

apps/api/src/auth/index.ts

@@ -0,0 +1,3 @@
+export * from './cloud-auth.module';
+export * from './cloud-auth.guard';
+export * from './auth.controller';