fix: db-studio prefix fixes

Merge branch 'main' of github.com:GlueOps/autoglue
2026-02-13 12:50:05 +01:00 · 2025-11-11 04:23:27 +00:00 · 2025-11-11 04:01:57 +00:00 · 2025-11-11 03:20:10 +00:00 · 2025-11-11 03:19:09 +00:00 · 2025-11-11 03:03:05 +00:00
23 changed files with 663 additions and 92 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -39,7 +39,7 @@ jobs:
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
          cosign-release: 'v2.2.4'

--- a/3
+++ b/3
@@ -310,6 +310,9 @@ doctor: ## Print environment diagnostics (shell, versions, generator availabilit
 		$(OGC_BIN) version || true; \
 	}

+fetch-pgweb: ## Fetch PGWeb Binaries for embedding
+	go run ./tools/pgweb_fetch.go
+
 help: ## Show this help
 	@grep -hE '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | \
 	awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
--- a/cmd/db.go
+++ b/cmd/db.go
@@ -0,0 +1,51 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"time"
+
+	"github.com/glueops/autoglue/internal/config"
+	"github.com/spf13/cobra"
+)
+
+var dbCmd = &cobra.Command{
+	Use:   "db",
+	Short: "Database utilities",
+}
+
+var dbPsqlCmd = &cobra.Command{
+	Use:   "psql",
+	Short: "Open a psql session to the app database",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cfg, err := config.Load()
+		if err != nil {
+			return err
+		}
+		if cfg.DbURL == "" {
+			return errors.New("database.url is empty")
+		}
+		psql := "psql"
+		if runtime.GOOS == "windows" {
+			psql = "psql.exe"
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), 72*time.Hour)
+		defer cancel()
+
+		psqlCmd := exec.CommandContext(ctx, psql, cfg.DbURL)
+		psqlCmd.Stdin, psqlCmd.Stdout, psqlCmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+		fmt.Println("Launching psql…")
+		return psqlCmd.Run()
+	},
+}
+
+func init() {
+	dbCmd.AddCommand(dbPsqlCmd)
+
+	rootCmd.AddCommand(dbCmd)
+}
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -18,6 +18,7 @@ import (
 	"github.com/glueops/autoglue/internal/auth"
 	"github.com/glueops/autoglue/internal/bg"
 	"github.com/glueops/autoglue/internal/config"
+	"github.com/glueops/autoglue/internal/web"
 	"github.com/google/uuid"
 	"github.com/spf13/cobra"
 )
@@ -33,6 +34,8 @@ var serveCmd = &cobra.Command{
 			return err
 		}

+		var pgwebInst *web.Pgweb
+
 		jobs, err := bg.NewJobs(rt.DB, cfg.DbURL)
 		if err != nil {
 			log.Fatalf("failed to init background jobs: %v", err)
@@ -119,7 +122,31 @@ var serveCmd = &cobra.Command{
 			}
 		}()

-		r := api.NewRouter(rt.DB, jobs)
+		var studioHandler http.Handler
+		r := api.NewRouter(rt.DB, jobs, nil)
+
+		if cfg.DBStudioEnabled {
+			dbURL := cfg.DbURLRO
+			if dbURL == "" {
+				dbURL = cfg.DbURL
+			}
+
+			pgwebInst, err = web.StartPgweb(
+				dbURL,
+				cfg.DBStudioBind,
+				cfg.DBStudioPort,
+				true,
+				cfg.DBStudioUser,
+				cfg.DBStudioPass,
+			)
+			if err != nil {
+				log.Printf("pgweb failed to start: %v", err)
+			} else {
+				studioHandler = http.HandlerFunc(pgwebInst.Proxy())
+				r = api.NewRouter(rt.DB, jobs, studioHandler)
+				log.Printf("pgweb running on http://%s:%s (proxied at /db-studio/)", cfg.DBStudioBind, pgwebInst.Port())
+			}
+		}

 		addr := fmt.Sprintf("%s:%s", cfg.Host, cfg.Port)

@@ -143,6 +170,9 @@ var serveCmd = &cobra.Command{

 		<-ctx.Done()
 		fmt.Println("\n⏳ Shutting down...")
+		if pgwebInst != nil {
+			_ = pgwebInst.Stop(context.Background())
+		}
 		shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 		return srv.Shutdown(shutdownCtx)
--- a/internal/api/httpmiddleware/auth.go
+++ b/internal/api/httpmiddleware/auth.go
@@ -49,6 +49,14 @@ func AuthMiddleware(db *gorm.DB, requireOrg bool) func(http.Handler) http.Handle
 				} else if appKey := r.Header.Get("X-APP-KEY"); appKey != "" {
 					secret := r.Header.Get("X-APP-SECRET")
 					user = auth.ValidateAppKeyPair(appKey, secret, db)
+				} else if c, err := r.Cookie("ag_jwt"); err == nil {
+					tok := strings.TrimSpace(c.Value)
+					if strings.HasPrefix(strings.ToLower(tok), "bearer ") {
+						tok = tok[7:]
+					}
+					if tok != "" {
+						user = auth.ValidateJWT(tok, db)
+					}
 				}

 				if user == nil {
--- a/internal/api/routes.go
+++ b/internal/api/routes.go
@@ -27,7 +27,7 @@ import (
 	httpSwagger "github.com/swaggo/http-swagger/v2"
 )

-func NewRouter(db *gorm.DB, jobs *bg.Jobs) http.Handler {
+func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 	zerolog.TimeFieldFormat = time.RFC3339

 	l := log.Output(zerolog.ConsoleWriter{Out: os.Stdout, TimeFormat: "15:04:05"})
@@ -38,6 +38,7 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs) http.Handler {
 	r.Use(middleware.RealIP)
 	r.Use(zeroLogMiddleware())
 	r.Use(middleware.Recoverer)
+	// r.Use(middleware.RedirectSlashes)
 	r.Use(SecurityHeaders)
 	r.Use(requestBodyLimit(10 << 20))
 	r.Use(httprate.LimitByIP(100, 1*time.Minute))
@@ -212,6 +213,17 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs) http.Handler {
 			})
 		})
 	})
+
+	if studio != nil {
+		r.Group(func(gr chi.Router) {
+			authUser := httpmiddleware.AuthMiddleware(db, false)
+			adminOnly := httpmiddleware.RequirePlatformAdmin()
+			gr.Use(authUser)
+			gr.Use(adminOnly)
+			gr.Mount("/db-studio", studio)
+		})
+	}
+
 	if config.IsDebug() {
 		r.Route("/debug/pprof", func(pr chi.Router) {
 			pr.Get("/", httpPprof.Index)
@@ -251,6 +263,7 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs) http.Handler {
 		mux.Handle("/api/", r)
 		mux.Handle("/api", r)
 		mux.Handle("/swagger/", r)
+		mux.Handle("/db-studio/", r)
 		mux.Handle("/debug/pprof/", r)
 		// Everything else (/, /brand-preview, assets) → proxy (no middlewares)
 		mux.Handle("/", proxy)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -13,6 +13,7 @@ import (

 type Config struct {
 	DbURL              string
+	DbURLRO            string
 	Port               string
 	Host               string
 	JWTIssuer          string
@@ -29,6 +30,12 @@ type Config struct {
 	Debug       bool
 	Swagger     bool
 	SwaggerHost string
+
+	DBStudioEnabled bool
+	DBStudioBind    string
+	DBStudioPort    string
+	DBStudioUser    string
+	DBStudioPass    string
 }

 var (
@@ -48,6 +55,12 @@ func Load() (Config, error) {
 		v.SetDefault("bind.address", "127.0.0.1")
 		v.SetDefault("bind.port", "8080")
 		v.SetDefault("database.url", "postgres://user:pass@localhost:5432/db?sslmode=disable")
+		v.SetDefault("database.url_ro", "")
+		v.SetDefault("db_studio.enabled", false)
+		v.SetDefault("db_studio.bind", "127.0.0.1")
+		v.SetDefault("db_studio.port", "0") // 0 = random
+		v.SetDefault("db_studio.user", "")
+		v.SetDefault("db_studio.pass", "")

 		v.SetDefault("ui.dev", false)
 		v.SetDefault("env", "development")
@@ -63,6 +76,7 @@ func Load() (Config, error) {
 			"bind.address",
 			"bind.port",
 			"database.url",
+			"database.url_ro",
 			"jwt.issuer",
 			"jwt.audience",
 			"jwt.private.enc.key",
@@ -76,6 +90,11 @@ func Load() (Config, error) {
 			"debug",
 			"swagger",
 			"swagger.host",
+			"db_studio.enabled",
+			"db_studio.bind",
+			"db_studio.port",
+			"db_studio.user",
+			"db_studio.pass",
 		}
 		for _, k := range keys {
 			_ = v.BindEnv(k)
@@ -84,6 +103,7 @@ func Load() (Config, error) {
 		// Build config
 		cfg := Config{
 			DbURL:              v.GetString("database.url"),
+			DbURLRO:            v.GetString("database.url_ro"),
 			Port:               v.GetString("bind.port"),
 			Host:               v.GetString("bind.address"),
 			JWTIssuer:          v.GetString("jwt.issuer"),
@@ -100,6 +120,12 @@ func Load() (Config, error) {
 			Debug:       v.GetBool("debug"),
 			Swagger:     v.GetBool("swagger"),
 			SwaggerHost: v.GetString("swagger.host"),
+
+			DBStudioEnabled: v.GetBool("db_studio.enabled"),
+			DBStudioBind:    v.GetString("db_studio.bind"),
+			DBStudioPort:    v.GetString("db_studio.port"),
+			DBStudioUser:    v.GetString("db_studio.user"),
+			DBStudioPass:    v.GetString("db_studio.pass"),
 		}

 		// Validate
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -273,6 +273,21 @@ func AuthCallback(db *gorm.DB) http.HandlerFunc {
 			return
 		}

+		secure := strings.HasPrefix(cfg.OAuthRedirectBase, "https://")
+		if xf := r.Header.Get("X-Forwarded-Proto"); xf != "" {
+			secure = strings.EqualFold(xf, "https")
+		}
+
+		http.SetCookie(w, &http.Cookie{
+			Name:     "ag_jwt",
+			Value:    "Bearer " + access,
+			Path:     "/",
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			Secure:   secure,
+			MaxAge:   int((time.Hour * 8).Seconds()),
+		})
+
 		// If the state indicates SPA popup mode, postMessage tokens to the opener and close
 		state := r.URL.Query().Get("state")
 		if strings.Contains(state, "mode=spa") {
@@ -377,6 +392,7 @@ func Refresh(db *gorm.DB) http.HandlerFunc {
 //	@Router		/auth/logout [post]
 func Logout(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		cfg, _ := config.Load()
 		var req dto.LogoutRequest
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 			utils.WriteError(w, 400, "invalid_json", err.Error())
@@ -385,13 +401,27 @@ func Logout(db *gorm.DB) http.HandlerFunc {
 		rec, err := auth.ValidateRefreshToken(db, req.RefreshToken)
 		if err != nil {
 			w.WriteHeader(204) // already invalid/revoked
-			return
+			goto clearCookie
 		}
 		if err := auth.RevokeFamily(db, rec.FamilyID); err != nil {
 			utils.WriteError(w, 500, "revoke_failed", err.Error())
 			return
 		}
+
+	clearCookie:
+		http.SetCookie(w, &http.Cookie{
+			Name:     "ag_jwt",
+			Value:    "",
+			Path:     "/",
+			HttpOnly: true,
+			MaxAge:   -1,
+			Expires:  time.Unix(0, 0),
+			SameSite: http.SameSiteLaxMode,
+			Secure:   strings.HasPrefix(cfg.OAuthRedirectBase, "https"),
+		})
+
 		w.WriteHeader(204)
+
 	}
 }

--- a/internal/handlers/clusters.go
+++ b/internal/handlers/clusters.go
@@ -106,20 +106,20 @@ func clusterToDTO(c models.Cluster) dto.ClusterResponse {
 	}

 	return dto.ClusterResponse{
-		ID:                  c.ID,
-		Name:                c.Name,
-		Provider:            c.Provider,
-		Region:              c.Region,
-		Status:              c.Status,
-		CaptainDomain:       c.CaptainDomain,
-		ClusterLoadBalancer: c.ClusterLoadBalancer,
-		RandomToken:         c.RandomToken,
-		CertificateKey:      c.CertificateKey,
-		ControlLoadBalancer: c.ControlLoadBalancer,
-		NodePools:           nps,
-		BastionServer:       bastion,
-		CreatedAt:           c.CreatedAt,
-		UpdatedAt:           c.UpdatedAt,
+		ID:            c.ID,
+		Name:          c.Name,
+		Provider:      c.Provider,
+		Region:        c.Region,
+		Status:        c.Status,
+		CaptainDomain: c.CaptainDomain,
+		//ClusterLoadBalancer: c.ClusterLoadBalancer,
+		RandomToken:    c.RandomToken,
+		CertificateKey: c.CertificateKey,
+		//ControlLoadBalancer: c.ControlLoadBalancer,
+		NodePools:     nps,
+		BastionServer: bastion,
+		CreatedAt:     c.CreatedAt,
+		UpdatedAt:     c.UpdatedAt,
 	}
 }

--- a/internal/models/cluster.go
+++ b/internal/models/cluster.go
@@ -14,17 +14,20 @@ type Cluster struct {
 	Provider            string       `json:"provider"`
 	Region              string       `json:"region"`
 	Status              string       `json:"status"`
-	CaptainDomain       string       `gorm:"not null" json:"captain_domain"`
-	ClusterLoadBalancer string       `json:"cluster_load_balancer"`
-	ControlLoadBalancer string       `json:"control_load_balancer"`
-	RandomToken         string       `json:"random_token"`
-	CertificateKey      string       `json:"certificate_key"`
-	EncryptedKubeconfig string       `gorm:"type:text" json:"-"`
-	KubeIV              string       `json:"-"`
-	KubeTag             string       `json:"-"`
-	NodePools           []NodePool   `gorm:"many2many:cluster_node_pools;constraint:OnDelete:CASCADE" json:"node_pools,omitempty"`
-	BastionServerID     *uuid.UUID   `gorm:"type:uuid" json:"bastion_server_id,omitempty"`
-	BastionServer       *Server      `gorm:"foreignKey:BastionServerID" json:"bastion_server,omitempty"`
-	CreatedAt           time.Time    `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
-	UpdatedAt           time.Time    `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+	CaptainDomain       string       `gorm:"not null" json:"captain_domain"` // nonprod.earth.onglueops.rocks
+	AppsLoadBalancer    string       `json:"cluster_load_balancer"`          // {public_ip: 1.2.3.4, private_ip: 10.0.30.1, name: apps.CaqptainDomain}
+	GlueOpsLoadBalancer string       `json:"control_load_balancer"`          // {public_ip: 5.6.7.8, private_ip: 10.0.22.1, name: CaptainDomain}
+
+	ControlPlane string `json:"control_plane"` // <- dns cntlpn
+
+	RandomToken         string     `json:"random_token"`
+	CertificateKey      string     `json:"certificate_key"`
+	EncryptedKubeconfig string     `gorm:"type:text" json:"-"`
+	KubeIV              string     `json:"-"`
+	KubeTag             string     `json:"-"`
+	NodePools           []NodePool `gorm:"many2many:cluster_node_pools;constraint:OnDelete:CASCADE" json:"node_pools,omitempty"`
+	BastionServerID     *uuid.UUID `gorm:"type:uuid" json:"bastion_server_id,omitempty"`
+	BastionServer       *Server    `gorm:"foreignKey:BastionServerID" json:"bastion_server,omitempty"`
+	CreatedAt           time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt           time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
 }
--- a/internal/models/dns.go
+++ b/internal/models/dns.go
@@ -1,20 +0,0 @@
-package models
-
-import (
-	"time"
-
-	"github.com/google/uuid"
-)
-
-type Dns struct {
-	ID             uuid.UUID    `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
-	OrganizationID uuid.UUID    `gorm:"type:uuid;not null;uniqueIndex:idx_credentials_org_provider" json:"organization_id"`
-	Organization   Organization `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
-	ClusterID      *uuid.UUID   `gorm:"type:uuid" json:"cluster_id,omitempty"`
-	Cluster        *Cluster     `gorm:"foreignKey:ClusterID" json:"cluster,omitempty"`
-	Type           string       `gorm:"not null" json:"type,omitempty"`
-	Name           string       `gorm:"not null" json:"name,omitempty"`
-	Content        string       `gorm:"not null" json:"content,omitempty"`
-	CreatedAt      time.Time    `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
-	UpdatedAt      time.Time    `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
-}
--- a/internal/models/domain.go
+++ b/internal/models/domain.go
@@ -0,0 +1,21 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type Domain struct {
+	ID             uuid.UUID    `gorm:"type:uuid;primaryKey;default:gen_random_uuid()"`
+	OrganizationID uuid.UUID    `gorm:"type:uuid;not null;uniqueIndex:idx_credentials_org_provider" json:"organization_id"`
+	Organization   Organization `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
+	ClusterID      *uuid.UUID   `gorm:"type:uuid" json:"cluster_id,omitempty"`
+	Cluster        *Cluster     `gorm:"foreignKey:ClusterID" json:"cluster,omitempty"`
+	DomainName     string       `gorm:"not null;index" json:"domain_name,omitempty"`
+	DomainID       string
+	CredentialID   uuid.UUID  `gorm:"type:uuid;not null" json:"credential_id"`
+	Credential     Credential `gorm:"foreignKey:CredentialID" json:"credential,omitempty"`
+	CreatedAt      time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt      time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+}
--- a/internal/web/pgweb_embed.go
+++ b/internal/web/pgweb_embed.go
@@ -0,0 +1,85 @@
+package web
+
+import (
+	"crypto/sha256"
+	"embed"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+//go:embed pgwebbin/*
+var pgwebFS embed.FS
+
+type pgwebAsset struct {
+	Path   string
+	SHA256 string
+}
+
+var pgwebIndex = map[string]pgwebAsset{
+	"linux/amd64":  {Path: "pgwebbin/pgweb-linux-amd64", SHA256: ""},
+	"linux/arm64":  {Path: "pgwebbin/pgweb-linux-arm64", SHA256: ""},
+	"darwin/amd64": {Path: "pgwebbin/pgweb-darwin-amd64", SHA256: ""},
+	"darwin/arm64": {Path: "pgwebbin/pgweb-darwin-arm64", SHA256: ""},
+}
+
+func ExtractPgweb() (string, error) {
+	key := runtime.GOOS + "/" + runtime.GOARCH
+	as, ok := pgwebIndex[key]
+	if !ok {
+		return "", fmt.Errorf("pgweb not embedded for %s", key)
+	}
+	f, err := pgwebFS.Open(as.Path)
+	if err != nil {
+		return "", fmt.Errorf("embedded pgweb missing: %w", err)
+	}
+	defer f.Close()
+
+	tmpDir, err := os.MkdirTemp("", "pgweb-*")
+	if err != nil {
+		return "", err
+	}
+
+	filename := "pgweb"
+	if runtime.GOOS == "windows" {
+		filename += ".exe"
+	}
+	outPath := filepath.Join(tmpDir, filename)
+
+	out, err := os.OpenFile(outPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o700)
+	if err != nil {
+		return "", err
+	}
+	defer out.Close()
+
+	h := sha256.New()
+	if _, err = io.Copy(io.MultiWriter(out, h), f); err != nil {
+		return "", err
+	}
+
+	if as.SHA256 != "" {
+		got := hex.EncodeToString(h.Sum(nil))
+		if got != as.SHA256 {
+			return "", fmt.Errorf("pgweb checksum mismatch: got=%s want=%s", got, as.SHA256)
+		}
+	}
+
+	// Make sure it’s executable on Unix; Windows ignores this.
+	_ = os.Chmod(outPath, 0o700)
+	return outPath, nil
+}
+
+func CleanupPgweb(pgwebPath string) error {
+	if pgwebPath == "" {
+		return nil
+	}
+	dir := filepath.Dir(pgwebPath)
+	if dir == "" || dir == "/" || dir == "." {
+		return errors.New("refusing to remove suspicious directory")
+	}
+	return os.RemoveAll(dir)
+}
--- a/internal/web/pgweb_proxy.go
+++ b/internal/web/pgweb_proxy.go
@@ -0,0 +1,107 @@
+package web
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"os/exec"
+	"time"
+)
+
+type Pgweb struct {
+	cmd  *exec.Cmd
+	host string
+	port string
+	bin  string
+}
+
+func StartPgweb(dbURL, host, port string, readonly bool, user, pass string) (*Pgweb, error) {
+	// pick random port if 0/empty
+	if port == "" || port == "0" {
+		l, err := net.Listen("tcp", net.JoinHostPort(host, "0"))
+		if err != nil {
+			return nil, err
+		}
+		defer l.Close()
+		_, p, _ := net.SplitHostPort(l.Addr().String())
+		port = p
+	}
+
+	args := []string{
+		"--url", dbURL,
+		"--bind", host,
+		"--listen", port,
+		"--prefix", "db-studio",
+		"--skip-open",
+	}
+	if readonly {
+		args = append(args, "--readonly")
+	}
+	if user != "" && pass != "" {
+		args = append(args, "--auth-user", user, "--auth-pass", pass)
+	}
+
+	pgwebBinary, err := ExtractPgweb()
+	if err != nil {
+		return nil, fmt.Errorf("pgweb extract: %w", err)
+	}
+
+	cmd := exec.Command(pgwebBinary, args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+
+	// wait for port to be ready
+	deadline := time.Now().Add(4 * time.Second)
+	for time.Now().Before(deadline) {
+		c, err := net.DialTimeout("tcp", net.JoinHostPort(host, port), 200*time.Millisecond)
+		if err == nil {
+			_ = c.Close()
+			return &Pgweb{cmd: cmd, host: host, port: port}, nil
+		}
+		time.Sleep(120 * time.Millisecond)
+	}
+	// still return object so caller can Stop()
+	//return &Pgweb{cmd: cmd, host: host, port: port, bin: pgwebBinary}, nil
+	return nil, fmt.Errorf("pgweb did not become ready on %s:%s", host, port)
+}
+
+func (p *Pgweb) Proxy() http.HandlerFunc {
+	target, _ := url.Parse("http://" + net.JoinHostPort(p.host, p.port))
+	proxy := httputil.NewSingleHostReverseProxy(target)
+	proxy.FlushInterval = 100 * time.Millisecond
+	return func(w http.ResponseWriter, r *http.Request) {
+		r.Host = target.Host
+		// Let pgweb handle its paths; we mount it at a prefix.
+		proxy.ServeHTTP(w, r)
+	}
+}
+
+func (p *Pgweb) Stop(ctx context.Context) error {
+	if p == nil || p.cmd == nil || p.cmd.Process == nil {
+		return nil
+	}
+	_ = p.cmd.Process.Kill()
+	done := make(chan struct{})
+	go func() { _, _ = p.cmd.Process.Wait(); close(done) }()
+	select {
+	case <-done:
+		if p.bin != "" {
+			_ = CleanupPgweb(p.bin)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}
+
+func (p *Pgweb) Port() string {
+	return p.port
+}
--- a/internal/web/pgwebbin/pgweb-darwin-amd64
+++ b/internal/web/pgwebbin/pgweb-darwin-amd64
--- a/internal/web/pgwebbin/pgweb-darwin-arm64
+++ b/internal/web/pgwebbin/pgweb-darwin-arm64
--- a/internal/web/pgwebbin/pgweb-linux-amd64
+++ b/internal/web/pgwebbin/pgweb-linux-amd64
--- a/internal/web/pgwebbin/pgweb-linux-arm64
+++ b/internal/web/pgwebbin/pgweb-linux-arm64
--- a/internal/web/static.go
+++ b/internal/web/static.go
@@ -61,6 +61,7 @@ func SPAHandler() (http.Handler, error) {
 		if strings.HasPrefix(r.URL.Path, "/api/") ||
 			r.URL.Path == "/api" ||
 			strings.HasPrefix(r.URL.Path, "/swagger") ||
+			strings.HasPrefix(r.URL.Path, "/db-studio") ||
 			strings.HasPrefix(r.URL.Path, "/debug/pprof") {
 			http.NotFound(w, r)
 			return
--- a/tools/pgweb_fetch.go
+++ b/tools/pgweb_fetch.go
@@ -0,0 +1,171 @@
+//go:build ignore
+// +build ignore
+
+package main
+
+import (
+	"archive/zip"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+type Target struct {
+	Name   string
+	URL    string
+	SHA256 string
+}
+
+const version = "0.16.2"
+
+func main() {
+	targets := []Target{
+		{
+			Name:   "pgweb-linux-amd64",
+			URL:    fmt.Sprintf("https://github.com/sosedoff/pgweb/releases/download/v%s/pgweb_linux_amd64.zip", version),
+			SHA256: "",
+		},
+		{
+			Name:   "pgweb-linux-arm64",
+			URL:    fmt.Sprintf("https://github.com/sosedoff/pgweb/releases/download/v%s/pgweb_linux_arm64.zip", version),
+			SHA256: "",
+		},
+		{
+			Name:   "pgweb-darwin-amd64",
+			URL:    fmt.Sprintf("https://github.com/sosedoff/pgweb/releases/download/v%s/pgweb_darwin_amd64.zip", version),
+			SHA256: "",
+		},
+		{
+			Name:   "pgweb-darwin-arm64",
+			URL:    fmt.Sprintf("https://github.com/sosedoff/pgweb/releases/download/v%s/pgweb_darwin_arm64.zip", version),
+			SHA256: "",
+		},
+	}
+
+	outDir := filepath.Join("internal", "web", "pgwebbin")
+	_ = os.MkdirAll(outDir, 0o755)
+
+	for _, t := range targets {
+		destZip := filepath.Join(outDir, t.Name+".zip")
+		fmt.Printf("Downloading %s...\n", t.URL)
+		if err := downloadFile(destZip, t.URL); err != nil {
+			panic(err)
+		}
+		binPath := filepath.Join(outDir, t.Name)
+		if err := unzipSingle(destZip, binPath); err != nil {
+			panic(err)
+		}
+		_ = os.Remove(destZip)
+
+		// Make executable
+		if err := os.Chmod(binPath, 0o755); err != nil {
+			panic(err)
+		}
+		fmt.Printf("Saved %s\n", binPath)
+
+		// Compute checksum
+		sum, _ := fileSHA256(binPath)
+		fmt.Printf("  SHA256: %s\n", sum)
+	}
+}
+
+func downloadFile(dest, url string) error {
+	resp, err := http.Get(url)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return fmt.Errorf("bad status: %s", resp.Status)
+	}
+	out, err := os.Create(dest)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+	_, err = io.Copy(out, resp.Body)
+	return err
+}
+
+func fileSHA256(path string) (string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(h.Sum(nil)), nil
+}
+
+func unzipSingle(zipPath, outPath string) error {
+	// minimal unzip: because pgweb zip has only one binary
+	r, err := os.Open(zipPath)
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+
+	// use archive/zip
+	stat, err := os.Stat(zipPath)
+	if err != nil {
+		return err
+	}
+	return unzipFile(zipPath, outPath, stat.Size())
+}
+
+func unzipFile(zipFile, outFile string, _ int64) error {
+	r, err := os.Open(zipFile)
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+	fi, _ := r.Stat()
+
+	// rely on standard zip reader
+	data, err := io.ReadAll(r)
+	if err != nil {
+		return err
+	}
+	tmpZip := filepath.Join(os.TempDir(), fi.Name())
+	if err := os.WriteFile(tmpZip, data, 0o644); err != nil {
+		return err
+	}
+	defer os.Remove(tmpZip)
+
+	zr, err := os.Open(tmpZip)
+	if err != nil {
+		return err
+	}
+	defer zr.Close()
+	// extract using standard lib
+	zr2, err := zip.OpenReader(tmpZip)
+	if err != nil {
+		return err
+	}
+	defer zr2.Close()
+	for _, f := range zr2.File {
+		rc, err := f.Open()
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+		out, err := os.Create(outFile)
+		if err != nil {
+			return err
+		}
+		if _, err := io.Copy(out, rc); err != nil {
+			out.Close()
+			return err
+		}
+		out.Close()
+		break
+	}
+	return nil
+}
--- a/ui/src/pages/credentials/credential-page.tsx
+++ b/ui/src/pages/credentials/credential-page.tsx
@@ -2,7 +2,16 @@ import { useMemo, useState } from "react"
 import { credentialsApi } from "@/api/credentials"
 import { zodResolver } from "@hookform/resolvers/zod"
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
-import { AlertTriangle, Eye, Loader2, MoreHorizontal, Pencil, Plus, Search, Trash2, } from "lucide-react"
+import {
+  AlertTriangle,
+  Eye,
+  Loader2,
+  MoreHorizontal,
+  Pencil,
+  Plus,
+  Search,
+  Trash2,
+} from "lucide-react"
 import { Controller, useForm } from "react-hook-form"
 import { toast } from "sonner"
 import { z } from "zod"
@@ -20,16 +29,36 @@ import {
 } from "@/components/ui/alert-dialog"
 import { Badge } from "@/components/ui/badge"
 import { Button } from "@/components/ui/button"
-import { Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle, DialogTrigger, } from "@/components/ui/dialog"
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from "@/components/ui/dialog"
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu"
-import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage, } from "@/components/ui/form"
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from "@/components/ui/form"
 import { Input } from "@/components/ui/input"
-import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue, } from "@/components/ui/select"
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select"
 import { Switch } from "@/components/ui/switch"
 import { Textarea } from "@/components/ui/textarea"

--- a/ui/vite.config.ts
+++ b/ui/vite.config.ts
@@ -1,31 +1,34 @@
 import path from "path"
 import tailwindcss from "@tailwindcss/vite"
-import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react from "@vitejs/plugin-react"
+import { defineConfig } from "vite"

 // https://vite.dev/config/
 export default defineConfig({
  plugins: [react(), tailwindcss()],
-    resolve: {
-        alias: {
-            "@": path.resolve(__dirname, "./src"),
-        }
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "./src"),
    },
-    server: {
-        port: 5173,
-        proxy: {
-            "/api": "http://localhost:8080",
-            "/swagger": "http://localhost:8080",
-        },
-        allowedHosts: ['.getexposed.io']
+  },
+  server: {
+    port: 5173,
+    proxy: {
+      "/api": "http://localhost:8080",
+      "/swagger": "http://localhost:8080",
+      "/db-studio": "http://localhost:8080",
    },
-    build: {
-        chunkSizeWarningLimit: 1000,
-        outDir: "../internal/web/dist",
-        emptyOutDir: true,
-        sourcemap: true,
-        cssMinify: "lightningcss",
-        rollupOptions: { output: { manualChunks: { react: ["react","react-dom","react-router-dom"] } } }
+    allowedHosts: [".getexposed.io"],
+  },
+  build: {
+    chunkSizeWarningLimit: 1000,
+    outDir: "../internal/web/dist",
+    emptyOutDir: true,
+    sourcemap: true,
+    cssMinify: "lightningcss",
+    rollupOptions: {
+      output: { manualChunks: { react: ["react", "react-dom", "react-router-dom"] } },
    },
-    esbuild: { legalComments: "none" }
+  },
+  esbuild: { legalComments: "none" },
 })
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -1791,11 +1791,16 @@
    "@typescript-eslint/types" "8.46.3"
    "@typescript-eslint/visitor-keys" "8.46.3"

-"@typescript-eslint/tsconfig-utils@8.46.3", "@typescript-eslint/tsconfig-utils@^8.46.3":
+"@typescript-eslint/tsconfig-utils@8.46.3":
  version "8.46.3"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.3.tgz#cad33398c762c97fe56a8defda00c16505abefa3"
  integrity sha512-GLupljMniHNIROP0zE7nCcybptolcH8QZfXOpCfhQDAdwJ/ZTlcaBOYebSOZotpti/3HrHSw7D3PZm75gYFsOA==

+"@typescript-eslint/tsconfig-utils@^8.46.3":
+  version "8.46.4"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.4.tgz#989a338093b6b91b0552f1f51331d89ec6980382"
+  integrity sha512-+/XqaZPIAk6Cjg7NWgSGe27X4zMGqrFqZ8atJsX3CWxH/jACqWnrWI68h7nHQld0y+k9eTTjb9r+KU4twLoo9A==
+
 "@typescript-eslint/type-utils@8.46.3":
  version "8.46.3"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-8.46.3.tgz#71188df833d7697ecff256cd1d3889a20552d78c"
@@ -1807,11 +1812,16 @@
    debug "^4.3.4"
    ts-api-utils "^2.1.0"

-"@typescript-eslint/types@8.46.3", "@typescript-eslint/types@^8.46.3":
+"@typescript-eslint/types@8.46.3":
  version "8.46.3"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.46.3.tgz#da05ea40e91359b4275dbb3a489f2f7907a02245"
  integrity sha512-G7Ok9WN/ggW7e/tOf8TQYMaxgID3Iujn231hfi0Pc7ZheztIJVpO44ekY00b7akqc6nZcvregk0Jpah3kep6hA==

+"@typescript-eslint/types@^8.46.3":
+  version "8.46.4"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.46.4.tgz#38022bfda051be80e4120eeefcd2b6e3e630a69b"
+  integrity sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==
+
 "@typescript-eslint/typescript-estree@8.46.3":
  version "8.46.3"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.3.tgz#c12406afba707f9779ce0c0151a08c33b3a96d41"
@@ -1954,7 +1964,7 @@ balanced-match@^1.0.0:
  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
  integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==

-baseline-browser-mapping@^2.8.19:
+baseline-browser-mapping@^2.8.25:
  version "2.8.25"
  resolved "https://registry.yarnpkg.com/baseline-browser-mapping/-/baseline-browser-mapping-2.8.25.tgz#947dc6f81778e0fa0424a2ab9ea09a3033e71109"
  integrity sha512-2NovHVesVF5TXefsGX1yzx1xgr7+m9JQenvz6FQY3qd+YXkKkYiv+vTCc7OriP9mcDZpTC5mAOYN4ocd29+erA==
@@ -1997,14 +2007,14 @@ braces@^3.0.3:
    fill-range "^7.1.1"

 browserslist@^4.24.0, browserslist@^4.26.2:
-  version "4.27.0"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.27.0.tgz#755654744feae978fbb123718b2f139bc0fa6697"
-  integrity sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==
+  version "4.28.0"
+  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.28.0.tgz#9cefece0a386a17a3cd3d22ebf67b9deca1b5929"
+  integrity sha512-tbydkR/CxfMwelN0vwdP/pLkDwyAASZ+VfWm4EOwlB6SWhx1sYnWLqo8N5j0rAzPfzfRaxt0mM/4wPU/Su84RQ==
  dependencies:
-    baseline-browser-mapping "^2.8.19"
-    caniuse-lite "^1.0.30001751"
-    electron-to-chromium "^1.5.238"
-    node-releases "^2.0.26"
+    baseline-browser-mapping "^2.8.25"
+    caniuse-lite "^1.0.30001754"
+    electron-to-chromium "^1.5.249"
+    node-releases "^2.0.27"
    update-browserslist-db "^1.1.4"

 bytes@3.1.2, bytes@^3.1.2:
@@ -2033,7 +2043,7 @@ callsites@^3.0.0:
  resolved "https://registry.yarnpkg.com/callsites/-/callsites-3.1.0.tgz#b3630abd8943432f54b3f0519238e33cd7df2f73"
  integrity sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==

-caniuse-lite@^1.0.30001751:
+caniuse-lite@^1.0.30001754:
  version "1.0.30001754"
  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001754.tgz#7758299d9a72cce4e6b038788a15b12b44002759"
  integrity sha512-x6OeBXueoAceOmotzx3PO4Zpt4rzpeIFsSr6AAePTZxSkXiYDUmpypEl7e2+8NCd9bD7bXjqyef8CJYPC1jfxg==
@@ -2365,10 +2375,10 @@ ee-first@1.1.1:
  resolved "https://registry.yarnpkg.com/ee-first/-/ee-first-1.1.1.tgz#590c61156b0ae2f4f0255732a158b266bc56b21d"
  integrity sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==

-electron-to-chromium@^1.5.238:
-  version "1.5.249"
-  resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.249.tgz#e4fc3a3e60bb347361e4e876bb31903a9132a447"
-  integrity sha512-5vcfL3BBe++qZ5kuFhD/p8WOM1N9m3nwvJPULJx+4xf2usSlZFJ0qoNYO2fOX4hi3ocuDcmDobtA+5SFr4OmBg==
+electron-to-chromium@^1.5.249:
+  version "1.5.250"
+  resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.250.tgz#0b40436fa41ae7cbac3d2f60ef0411a698eb72a7"
+  integrity sha512-/5UMj9IiGDMOFBnN4i7/Ry5onJrAGSbOGo3s9FEKmwobGq6xw832ccET0CE3CkkMBZ8GJSlUIesZofpyurqDXw==

 embla-carousel-react@^8.6.0:
  version "8.6.0"
@@ -3526,7 +3536,7 @@ node-fetch@^3.3.2:
    fetch-blob "^3.1.4"
    formdata-polyfill "^4.0.10"

-node-releases@^2.0.26:
+node-releases@^2.0.27:
  version "2.0.27"
  resolved "https://registry.yarnpkg.com/node-releases/-/node-releases-2.0.27.tgz#eedca519205cf20f650f61d56b070db111231e4e"
  integrity sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==
Author	SHA1	Message	Date
allanice001	586e51b8cc	fix: db-studio prefix fixes	2025-11-11 04:23:27 +00:00
allanice001	ea4c625269	fix: db-studio prefix fixes	2025-11-11 04:01:57 +00:00
allanice001	b4c108a5be	Merge branch 'main' of github.com:GlueOps/autoglue	2025-11-11 03:20:10 +00:00
allanice001	3a1ce33bca	feat: adding embedded db-studio Signed-off-by: allanice001 <allanice001@gmail.com>	2025-11-11 03:19:09 +00:00
public-glueops-renovatebot[bot]	dbb7ec398e	chore: lock file maintenance (#259 ) Co-authored-by: public-glueops-renovatebot[bot] <186083205+public-glueops-renovatebot[bot]@users.noreply.github.com>	2025-11-11 03:03:05 +00:00
public-glueops-renovatebot[bot]	82847e5027	chore: lock file maintenance (#258 ) Co-authored-by: public-glueops-renovatebot[bot] <186083205+public-glueops-renovatebot[bot]@users.noreply.github.com>	2025-11-10 21:03:26 +00:00
public-glueops-renovatebot[bot]	4314599427	chore: lock file maintenance (#256 ) Co-authored-by: public-glueops-renovatebot[bot] <186083205+public-glueops-renovatebot[bot]@users.noreply.github.com>	2025-11-10 17:24:20 +00:00
public-glueops-renovatebot[bot]	9108ee8f8f	breaking: the dependency `sigstore/cosign-installer` has been updated to a new major version (v4.0.0), which may include breaking changes. #major (#253 ) Co-authored-by: public-glueops-renovatebot[bot] <186083205+public-glueops-renovatebot[bot]@users.noreply.github.com>	2025-11-10 15:14:40 +00:00
allanice001	1feb3e29e1	chore: prettier	2025-11-10 14:47:39 +00:00
allanice001	0e9ce98624	fix: credentials page bugfix Signed-off-by: allanice001 <allanice001@gmail.com>	2025-11-10 14:47:24 +00:00