fix: bugfix jobs

Signed-off-by: allanice001 <allanice001@gmail.com>

Makefile

@@ -204,6 +204,7 @@ swagger: $(DOCS_JSON) ## Generate Swagger docs if stale
 # --- build ---
 build: prepare ui swagger sdk-all ## Build everything: Go hygiene, UI, Swagger, SDKs, then Go binary
 	@echo ">> Building Go binary: $(BIN)"
+	@$(GOCMD) get github.com/swaggo/swag/v2@v2.0.0-rc4
 	@$(GOCMD) build -trimpath -ldflags "$(LDFLAGS)" -o $(BIN) $(MAIN)
 
 # Handy: print resolved version metadata

cmd/serve.go

@@ -156,6 +156,21 @@ var serveCmd = &cobra.Command{
 			if err != nil {
 				log.Printf("failed to enqueue cluster bootstrap: %v", err)
 			}
+
+			_, err = jobs.Enqueue(
+				context.Background(),
+				uuid.NewString(),
+				"org_key_sweeper",
+				bg.OrgKeySweeperArgs{
+					IntervalS:     3600,
+					RetentionDays: 10,
+				},
+				archer.WithMaxRetries(1),
+				archer.WithScheduleTime(time.Now()),
+			)
+			if err != nil {
+				log.Printf("failed to enqueue org_key_sweeper: %v", err)
+			}
 		}
 
 		_ = auth.Refresh(rt.DB, rt.Cfg.JWTPrivateEncKey)

docs/openapi.yaml

@@ -104,6 +104,8 @@ components:
           $ref: '#/components/schemas/dto.LoadBalancerResponse'
         id:
           type: string
+        kubeconfig:
+          type: string
         last_error:
           type: string
         name:
@@ -113,6 +115,10 @@ components:
             $ref: '#/components/schemas/dto.NodePoolResponse'
           type: array
           uniqueItems: false
+        org_key:
+          type: string
+        org_secret:
+          type: string
         random_token:
           type: string
         region:
@@ -1037,6 +1043,8 @@ components:
       type: object
     models.APIKey:
       properties:
+        cluster_id:
+          type: string
         created_at:
           format: date-time
           type: string
@@ -1046,6 +1054,8 @@ components:
         id:
           format: uuid
           type: string
+        is_ephemeral:
+          type: boolean
         last_used_at:
           format: date-time
           type: string
@@ -1056,6 +1066,8 @@ components:
           type: string
         prefix:
           type: string
+        purpose:
+          type: string
         revoked:
           type: boolean
         scope:

go.mod

@@ -4,11 +4,11 @@ go 1.25.4
 
 require (
 	github.com/alexedwards/argon2id v1.0.0
-	github.com/aws/aws-sdk-go-v2 v1.40.1
-	github.com/aws/aws-sdk-go-v2/config v1.32.3
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.3
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.61.1
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.93.0
+	github.com/aws/aws-sdk-go-v2 v1.41.0
+	github.com/aws/aws-sdk-go-v2/config v1.32.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.5
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.94.0
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/dyaksa/archer v1.1.5
 	github.com/fergusstrange/embedded-postgres v1.33.0
@@ -16,7 +16,7 @@ require (
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
 	github.com/go-chi/httprate v0.15.0
-	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-playground/validator/v10 v10.29.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
@@ -25,7 +25,7 @@ require (
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	github.com/swaggo/swag/v2 v2.0.0-rc4
-	golang.org/x/crypto v0.45.0
+	golang.org/x/crypto v0.46.0
 	golang.org/x/oauth2 v0.34.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/datatypes v1.2.7
@@ -39,19 +39,19 @@ require (
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.15 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/sonic v1.14.0 // indirect
@@ -61,7 +61,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -122,12 +122,12 @@ require (
 	go.uber.org/mock v0.5.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gorm.io/driver/mysql v1.5.7 // indirect

go.sum

@@ -10,44 +10,46 @@ github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 h1:VauE2GcJNZFun2O
 github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5/go.mod h1:gxOHeajFfvGQh/fxlC8oOKBe23xnnJTif00IFFbiT+o=
 github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHcQQP0w=
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
-github.com/aws/aws-sdk-go-v2 v1.40.1 h1:difXb4maDZkRH0x//Qkwcfpdg1XQVXEAEs2DdXldFFc=
-github.com/aws/aws-sdk-go-v2 v1.40.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
+github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4=
+github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
-github.com/aws/aws-sdk-go-v2/config v1.32.3 h1:cpz7H2uMNTDa0h/5CYL5dLUEzPSLo2g0NkbxTRJtSSU=
-github.com/aws/aws-sdk-go-v2/config v1.32.3/go.mod h1:srtPKaJJe3McW6T/+GMBZyIPc+SeqJsNPJsd4mOYZ6s=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.3 h1:01Ym72hK43hjwDeJUfi1l2oYLXBAOR8gNSZNmXmvuas=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.3/go.mod h1:55nWF/Sr9Zvls0bGnWkRxUdhzKqj9uRNlPvgV1vgxKc=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.15 h1:utxLraaifrSBkeyII9mIbVwXXWrZdlPO7FIKmyLCEcY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.15/go.mod h1:hW6zjYUDQwfz3icf4g2O41PHi77u10oAzJ84iSzR/lo=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.15 h1:Y5YXgygXwDI5P4RkteB5yF7v35neH7LfJKBG+hzIons=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.15/go.mod h1:K+/1EpG42dFSY7CBj+Fruzm8PsCGWTXJ3jdeJ659oGQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.15 h1:AvltKnW9ewxX2hFmQS0FyJH93aSvJVUEFvXfU+HWtSE=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.15/go.mod h1:3I4oCdZdmgrREhU74qS1dK9yZ62yumob+58AbFR4cQA=
+github.com/aws/aws-sdk-go-v2/config v1.32.5 h1:pz3duhAfUgnxbtVhIK39PGF/AHYyrzGEyRD9Og0QrE8=
+github.com/aws/aws-sdk-go-v2/config v1.32.5/go.mod h1:xmDjzSUs/d0BB7ClzYPAZMmgQdrodNjPPhd6bGASwoE=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.5 h1:xMo63RlqP3ZZydpJDMBsH9uJ10hgHYfQFIk1cHDXrR4=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.5/go.mod h1:hhbH6oRcou+LpXfA/0vPElh/e0M3aFeOblE1sssAAEk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 h1:80+uETIWS1BqjnN9uJ0dBUaETh+P1XwFy5vwHwK5r9k=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16/go.mod h1:wOOsYuxYuB/7FlnVtzeBYRcjSRtQpAW0hCP7tIULMwo=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 h1:rgGwPzb82iBYSvHMHXc8h9mRoOUBZIGFgKb9qniaZZc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16/go.mod h1:L/UxsGeKpGoIj6DxfhOWHWQ/kGKcd4I1VncE4++IyKA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx2F0xmJcOw5374L7N6juGW6x6U=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.15 h1:NLYTEyZmVZo0Qh183sC8nC+ydJXOOeIL/qI/sS3PdLY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.15/go.mod h1:Z803iB3B0bc8oJV8zH2PERLRfQUJ2n2BXISpsA4+O1M=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 h1:CjMzUs78RDDv4ROu3JnJn/Ig1r6ZD7/T2DXLLRpejic=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16/go.mod h1:uVW4OLBqbJXSHJYA9svT9BluSvvwbzLQ2Crf6UPzR3c=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.6 h1:P1MU/SuhadGvg2jtviDXPEejU3jBNhoeeAlRadHzvHI=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.6/go.mod h1:5KYaMG6wmVKMFBSfWoyG/zH8pWwzQFnKgpoSRlXHKdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.15 h1:3/u/4yZOffg5jdNk1sDpOQ4Y+R6Xbh+GzpDrSZjuy3U=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.15/go.mod h1:4Zkjq0FKjE78NKjabuM4tRXKFzUJWXgP0ItEZK8l7JU=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.15 h1:wsSQ4SVz5YE1crz0Ap7VBZrV4nNqZt4CIBBT8mnwoNc=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.15/go.mod h1:I7sditnFGtYMIqPRU1QoHZAUrXkGp4SczmlLwrNPlD0=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.61.1 h1:ik9tMw+xWZqzffOtGH3PfV0Yy/V+QsCb1XYXXXjUskk=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.61.1/go.mod h1:JRqmldxIPU6uck5bcFS8ExwwG2mUwfy+jiUmismOxJs=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.93.0 h1:IrbE3B8O9pm3lsg96AXIN5MXX4pECEuExh/A0Du3AuI=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.93.0/go.mod h1:/sJLzHtiiZvs6C1RbxS/anSAFwZD6oC6M/kotQzOiLw=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.3 h1:d/6xOGIllc/XW1lzG9a4AUBMmpLA9PXcQnVPTuHHcik=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.3/go.mod h1:fQ7E7Qj9GiW8y0ClD7cUJk3Bz5Iw8wZkWDHsTe8vDKs=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.6 h1:8sTTiw+9yuNXcfWeqKF2x01GqCF49CpP4Z9nKrrk/ts=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.6/go.mod h1:8WYg+Y40Sn3X2hioaaWAAIngndR8n1XFdRPPX+7QBaM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.11 h1:E+KqWoVsSrj1tJ6I/fjDIu5xoS2Zacuu1zT+H7KtiIk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.11/go.mod h1:qyWHz+4lvkXcr3+PoGlGHEI+3DLLiU6/GdrFfMaAhB0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.3 h1:tzMkjh0yTChUqJDgGkcDdxvZDSrJ/WB6R6ymI5ehqJI=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.3/go.mod h1:T270C0R5sZNLbWUe8ueiAF42XSZxxPocTaGSgs5c/60=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 h1:DIBqIrJ7hv+e4CmIk2z3pyKT+3B6qVMgRsawHiR3qso=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7/go.mod h1:vLm00xmBke75UmpNvOcZQ/Q30ZFjbczeLFqGx5urmGo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 h1:NSbvS17MlI2lurYgXnCOLvCFX38sBW4eiVER7+kkgsU=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16/go.mod h1:SwT8Tmqd4sA6G1qaGdzWCJN99bUmPGHfRwwq3G5Qb+A=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0 h1:80pDB3Tpmb2RCSZORrK9/3iQxsd+w6vSzVqpT1FGiwE=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0/go.mod h1:6EZUGGNLPLh5Unt30uEoA+KQcByERfXIkax9qrc80nA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2 h1:U3ygWUhCpiSPYSHOrRhb3gOl9T5Y3kB8k5Vjs//57bE=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2/go.mod h1:79S2BdqCJpScXZA2y+cpZuocWsjGjJINyXnOsf5DTz8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.94.0 h1:SWTxh/EcUCDVqi/0s26V6pVUq0BBG7kx0tDTmF/hCgA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.94.0/go.mod h1:79S2BdqCJpScXZA2y+cpZuocWsjGjJINyXnOsf5DTz8=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 h1:HpI7aMmJ+mm1wkSHIA2t5EaFFv5EFYXePW30p1EIrbQ=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.4/go.mod h1:C5RdGMYGlfM0gYq/tifqgn4EbyX99V15P2V3R+VHbQU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 h1:eYnlt6QxnFINKzwxP5/Ucs1vkG7VT3Iezmvfgc2waUw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.7/go.mod h1:+fWt2UHSb4kS7Pu8y+BMBvJF0EWx+4H0hzNwtDNRTrg=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 h1:AHDr0DaHIAo8c9t1emrzAlVDFp+iMMKnPdYy6XO4MCE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12/go.mod h1:GQ73XawFFiWxyWXMHWfhiomvP3tXtdNar/fi8z18sx0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 h1:SciGFVNZ4mHdm7gpD1dgZYnCuVdX1s+lFTg4+4DOy70=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5/go.mod h1:iW40X4QBmUxdP+fZNOpfmkdMZqsovezbAeO+Ubiv2pk=
 github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
 github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -81,6 +83,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
 github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
+github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -114,6 +118,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
 github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-playground/validator/v10 v10.29.0 h1:lQlF5VNJWNlRbRZNeOIkWElR+1LL/OuHcc0Kp14w1xk=
+github.com/go-playground/validator/v10 v10.29.0/go.mod h1:D6QxqeMlgIPuT02L66f2ccrZ7AGgHkzKmmTMZhk/Kc4=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
@@ -290,12 +296,12 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -304,15 +310,13 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200219091948-cb0a6d8edb6c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -328,29 +332,29 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
 google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=

internal/bg/bg.go

@@ -129,6 +129,12 @@ func NewJobs(gdb *gorm.DB, dbUrl string) (*Jobs, error) {
 		archer.WithTimeout(60*time.Minute),
 	)
 
+	c.Register(
+		"org_key_sweeper",
+		OrgKeySweeperWorker(gdb, jobs),
+		archer.WithInstances(1),
+		archer.WithTimeout(5*time.Minute),
+	)
 	return jobs, nil
 }
 

internal/bg/cluster_bootstrap.go

@@ -68,14 +68,14 @@ func ClusterBootstrapWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 			logger.Info().Msg("[cluster_bootstrap] running make bootstrap")
 
 			runCtx, cancel := context.WithTimeout(ctx, perClusterTimeout)
-			out, err := runMakeOnBastion(runCtx, db, c, "bootstrap")
+			out, err := runMakeOnBastion(runCtx, db, c, "setup")
 			cancel()
 
 			if err != nil {
 				failCount++
 				failedIDs = append(failedIDs, c.ID)
-				logger.Error().Err(err).Str("output", out).Msg("[cluster_bootstrap] make bootstrap failed")
-				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make bootstrap: %v", err))
+				logger.Error().Err(err).Str("output", out).Msg("[cluster_bootstrap] make setup failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make setup: %v", err))
 				continue
 			}
 

internal/bg/cluster_setup.go

@@ -68,14 +68,14 @@ func ClusterSetupWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 			logger.Info().Msg("[cluster_setup] running make setup")
 
 			runCtx, cancel := context.WithTimeout(ctx, perClusterTimeout)
-			out, err := runMakeOnBastion(runCtx, db, c, "setup")
+			out, err := runMakeOnBastion(runCtx, db, c, "ping-servers")
 			cancel()
 
 			if err != nil {
 				failCount++
 				failedIDs = append(failedIDs, c.ID)
-				logger.Error().Err(err).Str("output", out).Msg("[cluster_setup] make setup failed")
-				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make setup: %v", err))
+				logger.Error().Err(err).Str("output", out).Msg("[cluster_setup] make ping-servers failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make ping-servers: %v", err))
 				continue
 			}
 

internal/bg/org_key_sweeper.go

@@ -0,0 +1,95 @@
+package bg
+
+import (
+	"context"
+	"time"
+
+	"github.com/dyaksa/archer"
+	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+type OrgKeySweeperArgs struct {
+	IntervalS     int `json:"interval_seconds,omitempty"`
+	RetentionDays int `json:"retention_days,omitempty"`
+}
+
+type OrgKeySweeperResult struct {
+	Status           string `json:"status"`
+	MarkedRevoked    int    `json:"marked_revoked"`
+	DeletedEphemeral int    `json:"deleted_ephemeral"`
+	ElapsedMs        int    `json:"elapsed_ms"`
+}
+
+func OrgKeySweeperWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
+	return func(ctx context.Context, j job.Job) (any, error) {
+		args := OrgKeySweeperArgs{
+			IntervalS:     3600,
+			RetentionDays: 10,
+		}
+		start := time.Now()
+
+		_ = j.ParseArguments(&args)
+		if args.IntervalS <= 0 {
+			args.IntervalS = 3600
+		}
+		if args.RetentionDays <= 0 {
+			args.RetentionDays = 10
+		}
+
+		now := time.Now()
+
+		// 1) Mark expired keys as revoked
+		res1 := db.Model(&models.APIKey{}).
+			Where("expires_at IS NOT NULL AND expires_at <= ? AND revoked = false", now).
+			Updates(map[string]any{
+				"revoked":    true,
+				"updated_at": now,
+			})
+
+		if res1.Error != nil {
+			log.Error().Err(res1.Error).Msg("[org_key_sweeper] mark expired revoked failed")
+			return nil, res1.Error
+		}
+		markedRevoked := int(res1.RowsAffected)
+
+		// 2) Hard-delete ephemeral keys that are revoked and older than retention
+		cutoff := now.Add(-time.Duration(args.RetentionDays) * 24 * time.Hour)
+		res2 := db.
+			Where("is_ephemeral = ? AND revoked = ? AND updated_at <= ?", true, true, cutoff).
+			Delete(&models.APIKey{})
+
+		if res2.Error != nil {
+			log.Error().Err(res2.Error).Msg("[org_key_sweeper] delete revoked ephemeral keys failed")
+			return nil, res2.Error
+		}
+		deletedEphemeral := int(res2.RowsAffected)
+
+		out := OrgKeySweeperResult{
+			Status:           "ok",
+			MarkedRevoked:    markedRevoked,
+			DeletedEphemeral: deletedEphemeral,
+			ElapsedMs:        int(time.Since(start).Milliseconds()),
+		}
+
+		log.Info().
+			Int("marked_revoked", markedRevoked).
+			Int("deleted_ephemeral", deletedEphemeral).
+			Msg("[org_key_sweeper] cleanup tick ok")
+
+		// Re-enqueue the sweeper
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(
+			ctx,
+			uuid.NewString(),
+			"org_key_sweeper",
+			args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
+		return out, nil
+	}
+}

internal/bg/prepare_cluster.go

@@ -3,6 +3,7 @@ package bg
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -12,6 +13,8 @@ import (
 
 	"github.com/dyaksa/archer"
 	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/auth"
+	"github.com/glueops/autoglue/internal/mapper"
 	"github.com/glueops/autoglue/internal/models"
 	"github.com/glueops/autoglue/internal/utils"
 	"github.com/google/uuid"
@@ -66,6 +69,12 @@ func ClusterPrepareWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 			Preload("BastionServer.SshKey").
 			Preload("CaptainDomain").
 			Preload("ControlPlaneRecordSet").
+			Preload("AppsLoadBalancer").
+			Preload("GlueOpsLoadBalancer").
+			Preload("NodePools").
+			Preload("NodePools.Labels").
+			Preload("NodePools.Annotations").
+			Preload("NodePools.Taints").
 			Preload("NodePools.Servers.SshKey").
 			Where("status = ?", clusterStatusPrePending).
 			Find(&clusters).Error; err != nil {
@@ -124,7 +133,55 @@ func ClusterPrepareWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 				continue
 			}
 
-			payloadJSON, err := json.MarshalIndent(c, "", "  ")
+			dtoCluster := mapper.ClusterToDTO(*c)
+
+			if c.EncryptedKubeconfig != "" && c.KubeIV != "" && c.KubeTag != "" {
+				kubeconfig, err := utils.DecryptForOrg(
+					c.OrganizationID,
+					c.EncryptedKubeconfig,
+					c.KubeIV,
+					c.KubeTag,
+					db,
+				)
+				if err != nil {
+					fail++
+					failedIDs = append(failedIDs, c.ID)
+					failures = append(failures, ClusterPrepareFailure{
+						ClusterID: c.ID,
+						Step:      "decrypt_kubeconfig",
+						Reason:    err.Error(),
+					})
+					clusterLog.Error().Err(err).Msg("[cluster_prepare] decrypt kubeconfig failed")
+					_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+					continue
+				}
+				dtoCluster.Kubeconfig = &kubeconfig
+			}
+
+			orgKey, orgSecret, err := findOrCreateClusterAutomationKey(
+				db,
+				c.OrganizationID,
+				c.ID,
+				24*time.Hour,
+			)
+
+			if err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "create_org_key",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] create org key for payload failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+				continue
+			}
+
+			dtoCluster.OrgKey = &orgKey
+			dtoCluster.OrgSecret = &orgSecret
+
+			payloadJSON, err := json.MarshalIndent(dtoCluster, "", "  ")
 			if err != nil {
 				fail++
 				failedIDs = append(failedIDs, c.ID)
@@ -443,6 +500,11 @@ func runMakeOnBastion(
 	c *models.Cluster,
 	target string,
 ) (string, error) {
+	logger := log.With().
+		Str("cluster_id", c.ID.String()).
+		Str("cluster_name", c.Name).
+		Logger()
+
 	bastion := c.BastionServer
 	if bastion == nil {
 		return "", fmt.Errorf("bastion server is nil")
@@ -500,9 +562,13 @@ func runMakeOnBastion(
 	defer sess.Close()
 
 	clusterDir := fmt.Sprintf("$HOME/autoglue/clusters/%s", c.ID.String())
-	sshDir := fmt.Sprintf("$HOME/.ssh/autoglue")
+	sshDir := fmt.Sprintf("$HOME/.ssh")
 
-	cmd := fmt.Sprintf("cd %s && docker run -it -v %s:/root/.ssh -v ./payload.json:/opt/gluekube/platform.json %s:%s make %s", clusterDir, sshDir, c.DockerImage, c.DockerTag, target)
+	cmd := fmt.Sprintf("cd %s && docker run -v %s:/root/.ssh -v ./payload.json:/opt/gluekube/platform.json %s:%s make %s", clusterDir, sshDir, c.DockerImage, c.DockerTag, target)
+
+	logger.Info().
+		Str("cmd", cmd).
+		Msg("[runMakeOnBastion] executing remote command")
 
 	out, runErr := sess.CombinedOutput(cmd)
 	if runErr != nil {
@@ -510,3 +576,75 @@ func runMakeOnBastion(
 	}
 	return string(out), nil
 }
+
+func randomB64URL(n int) (string, error) {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+func findOrCreateClusterAutomationKey(
+	db *gorm.DB,
+	orgID uuid.UUID,
+	clusterID uuid.UUID,
+	ttl time.Duration,
+) (orgKey string, orgSecret string, err error) {
+	now := time.Now()
+	name := fmt.Sprintf("cluster-%s-bastion", clusterID.String())
+
+	// 1) Delete any existing ephemeral cluster-bastion key for this org+cluster
+	if err := db.Where(
+		"org_id = ? AND scope = ? AND purpose = ? AND cluster_id = ? AND is_ephemeral = ?",
+		orgID, "org", "cluster_bastion", clusterID, true,
+	).Delete(&models.APIKey{}).Error; err != nil {
+		return "", "", fmt.Errorf("delete existing cluster key: %w", err)
+	}
+
+	// 2) Mint a fresh keypair
+	keySuffix, err := randomB64URL(16)
+	if err != nil {
+		return "", "", fmt.Errorf("entropy_error: %w", err)
+	}
+	sec, err := randomB64URL(32)
+	if err != nil {
+		return "", "", fmt.Errorf("entropy_error: %w", err)
+	}
+
+	orgKey = "org_" + keySuffix
+	orgSecret = sec
+
+	keyHash := auth.SHA256Hex(orgKey)
+	secretHash, err := auth.HashSecretArgon2id(orgSecret)
+	if err != nil {
+		return "", "", fmt.Errorf("hash_error: %w", err)
+	}
+
+	exp := now.Add(ttl)
+
+	prefix := orgKey
+	if len(prefix) > 12 {
+		prefix = prefix[:12]
+	}
+
+	rec := models.APIKey{
+		OrgID:       &orgID,
+		Scope:       "org",
+		Purpose:     "cluster_bastion",
+		ClusterID:   &clusterID,
+		IsEphemeral: true,
+		Name:        name,
+		KeyHash:     keyHash,
+		SecretHash:  &secretHash,
+		ExpiresAt:   &exp,
+		Revoked:     false,
+		Prefix:      &prefix,
+	}
+
+	if err := db.Create(&rec).Error; err != nil {
+		return "", "", fmt.Errorf("db_error: %w", err)
+	}
+
+	return orgKey, orgSecret, nil
+}

internal/handlers/clusters.go

@@ -69,7 +69,17 @@ func ListClusters(db *gorm.DB) http.HandlerFunc {
 
 		out := make([]dto.ClusterResponse, 0, len(rows))
 		for _, row := range rows {
-			out = append(out, clusterToDTO(row))
+			cr := clusterToDTO(row)
+
+			if row.EncryptedKubeconfig != "" && row.KubeIV != "" && row.KubeTag != "" {
+				kubeconfig, err := utils.DecryptForOrg(orgID, row.EncryptedKubeconfig, row.KubeIV, row.KubeTag, db)
+				if err != nil {
+					utils.WriteError(w, http.StatusInternalServerError, "kubeconfig_decrypt_failed", "failed to decrypt kubeconfig")
+					return
+				}
+				cr.Kubeconfig = &kubeconfig
+			}
+			out = append(out, cr)
 		}
 		utils.WriteJSON(w, http.StatusOK, out)
 	}
@@ -131,7 +141,18 @@ func GetCluster(db *gorm.DB) http.HandlerFunc {
 			return
 		}
 
-		utils.WriteJSON(w, http.StatusOK, clusterToDTO(cluster))
+		resp := clusterToDTO(cluster)
+
+		if cluster.EncryptedKubeconfig != "" && cluster.KubeIV != "" && cluster.KubeTag != "" {
+			kubeconfig, err := utils.DecryptForOrg(orgID, cluster.EncryptedKubeconfig, cluster.KubeIV, cluster.KubeTag, db)
+			if err != nil {
+				utils.WriteError(w, http.StatusInternalServerError, "kubeconfig_decrypt_failed", "failed to decrypt kubeconfig")
+				return
+			}
+			resp.Kubeconfig = &kubeconfig
+		}
+
+		utils.WriteJSON(w, http.StatusOK, resp)
 	}
 }
 

internal/handlers/dto/clusters.go

@@ -24,6 +24,9 @@ type ClusterResponse struct {
 	NodePools             []NodePoolResponse    `json:"node_pools,omitempty"`
 	DockerImage           string                `json:"docker_image"`
 	DockerTag             string                `json:"docker_tag"`
+	Kubeconfig            *string               `json:"kubeconfig,omitempty"`
+	OrgKey                *string               `json:"org_key,omitempty"`
+	OrgSecret             *string               `json:"org_secret,omitempty"`
 	CreatedAt             time.Time             `json:"created_at"`
 	UpdatedAt             time.Time             `json:"updated_at"`
 }

internal/handlers/node_pools.go

@@ -828,16 +828,16 @@ func ListNodePoolLabels(db *gorm.DB) http.HandlerFunc {
 		}
 
 		out := make([]dto.LabelResponse, 0, len(np.Taints))
-		for _, taint := range np.Taints {
+		for _, label := range np.Labels {
 			out = append(out, dto.LabelResponse{
 				AuditFields: common.AuditFields{
-					ID:             taint.ID,
-					OrganizationID: taint.OrganizationID,
-					CreatedAt:      taint.CreatedAt,
-					UpdatedAt:      taint.UpdatedAt,
+					ID:             label.ID,
+					OrganizationID: label.OrganizationID,
+					CreatedAt:      label.CreatedAt,
+					UpdatedAt:      label.UpdatedAt,
 				},
-				Key:   taint.Key,
-				Value: taint.Value,
+				Key:   label.Key,
+				Value: label.Value,
 			})
 		}
 		utils.WriteJSON(w, http.StatusOK, out)

internal/handlers/orgs.go

@@ -585,13 +585,22 @@ func CreateOrgKey(db *gorm.DB) http.HandlerFunc {
 			exp = &e
 		}
 
+		prefix := orgKey
+		if len(prefix) > 12 {
+			prefix = prefix[:12]
+		}
+
 		rec := models.APIKey{
-			OrgID:      &oid,
-			Scope:      "org",
-			Name:       req.Name,
-			KeyHash:    keyHash,
-			SecretHash: &secretHash,
-			ExpiresAt:  exp,
+			OrgID:       &oid,
+			Scope:       "org",
+			Purpose:     "user",
+			IsEphemeral: false,
+			Name:        req.Name,
+			KeyHash:     keyHash,
+			SecretHash:  &secretHash,
+			ExpiresAt:   exp,
+			Revoked:     false,
+			Prefix:      &prefix,
 		}
 		if err := db.Create(&rec).Error; err != nil {
 			utils.WriteError(w, 500, "db_error", err.Error())

internal/mapper/cluster.go

@@ -0,0 +1,182 @@
+package mapper
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/glueops/autoglue/internal/common"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/google/uuid"
+)
+
+func ClusterToDTO(c models.Cluster) dto.ClusterResponse {
+	var bastion *dto.ServerResponse
+	if c.BastionServer != nil {
+		b := ServerToDTO(*c.BastionServer)
+		bastion = &b
+	}
+
+	var captainDomain *dto.DomainResponse
+	if c.CaptainDomainID != nil && c.CaptainDomain.ID != uuid.Nil {
+		dr := DomainToDTO(c.CaptainDomain)
+		captainDomain = &dr
+	}
+
+	var controlPlane *dto.RecordSetResponse
+	if c.ControlPlaneRecordSet != nil {
+		rr := RecordSetToDTO(*c.ControlPlaneRecordSet)
+		controlPlane = &rr
+	}
+
+	var cfqdn *string
+	if captainDomain != nil && controlPlane != nil {
+		fq := fmt.Sprintf("%s.%s", controlPlane.Name, captainDomain.DomainName)
+		cfqdn = &fq
+	}
+
+	var appsLB *dto.LoadBalancerResponse
+	if c.AppsLoadBalancer != nil {
+		lr := LoadBalancerToDTO(*c.AppsLoadBalancer)
+		appsLB = &lr
+	}
+
+	var glueOpsLB *dto.LoadBalancerResponse
+	if c.GlueOpsLoadBalancer != nil {
+		lr := LoadBalancerToDTO(*c.GlueOpsLoadBalancer)
+		glueOpsLB = &lr
+	}
+
+	nps := make([]dto.NodePoolResponse, 0, len(c.NodePools))
+	for _, np := range c.NodePools {
+		nps = append(nps, NodePoolToDTO(np))
+	}
+
+	return dto.ClusterResponse{
+		ID:                    c.ID,
+		Name:                  c.Name,
+		CaptainDomain:         captainDomain,
+		ControlPlaneRecordSet: controlPlane,
+		ControlPlaneFQDN:      cfqdn,
+		AppsLoadBalancer:      appsLB,
+		GlueOpsLoadBalancer:   glueOpsLB,
+		BastionServer:         bastion,
+		Provider:              c.Provider,
+		Region:                c.Region,
+		Status:                c.Status,
+		LastError:             c.LastError,
+		RandomToken:           c.RandomToken,
+		CertificateKey:        c.CertificateKey,
+		NodePools:             nps,
+		DockerImage:           c.DockerImage,
+		DockerTag:             c.DockerTag,
+		CreatedAt:             c.CreatedAt,
+		UpdatedAt:             c.UpdatedAt,
+	}
+}
+
+func NodePoolToDTO(np models.NodePool) dto.NodePoolResponse {
+	labels := make([]dto.LabelResponse, 0, len(np.Labels))
+	for _, l := range np.Labels {
+		labels = append(labels, dto.LabelResponse{
+			Key:   l.Key,
+			Value: l.Value,
+		})
+	}
+
+	annotations := make([]dto.AnnotationResponse, 0, len(np.Annotations))
+	for _, a := range np.Annotations {
+		annotations = append(annotations, dto.AnnotationResponse{
+			Key:   a.Key,
+			Value: a.Value,
+		})
+	}
+
+	taints := make([]dto.TaintResponse, 0, len(np.Taints))
+	for _, t := range np.Taints {
+		taints = append(taints, dto.TaintResponse{
+			Key:    t.Key,
+			Value:  t.Value,
+			Effect: t.Effect,
+		})
+	}
+
+	servers := make([]dto.ServerResponse, 0, len(np.Servers))
+	for _, s := range np.Servers {
+		servers = append(servers, ServerToDTO(s))
+	}
+
+	return dto.NodePoolResponse{
+		AuditFields: common.AuditFields{
+			ID:             np.ID,
+			OrganizationID: np.OrganizationID,
+			CreatedAt:      np.CreatedAt,
+			UpdatedAt:      np.UpdatedAt,
+		},
+		Name:        np.Name,
+		Role:        dto.NodeRole(np.Role),
+		Labels:      labels,
+		Annotations: annotations,
+		Taints:      taints,
+		Servers:     servers,
+	}
+}
+
+func ServerToDTO(s models.Server) dto.ServerResponse {
+	return dto.ServerResponse{
+		ID:               s.ID,
+		Hostname:         s.Hostname,
+		PrivateIPAddress: s.PrivateIPAddress,
+		PublicIPAddress:  s.PublicIPAddress,
+		Role:             s.Role,
+		Status:           s.Status,
+		SSHUser:          s.SSHUser,
+		SshKeyID:         s.SshKeyID,
+		CreatedAt:        s.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:        s.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func DomainToDTO(d models.Domain) dto.DomainResponse {
+	return dto.DomainResponse{
+		ID:             d.ID.String(),
+		OrganizationID: d.OrganizationID.String(),
+		DomainName:     d.DomainName,
+		ZoneID:         d.ZoneID,
+		Status:         d.Status,
+		LastError:      d.LastError,
+		CredentialID:   d.CredentialID.String(),
+		CreatedAt:      d.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:      d.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func RecordSetToDTO(rs models.RecordSet) dto.RecordSetResponse {
+	return dto.RecordSetResponse{
+		ID:          rs.ID.String(),
+		DomainID:    rs.DomainID.String(),
+		Name:        rs.Name,
+		Type:        rs.Type,
+		TTL:         rs.TTL,
+		Values:      []byte(rs.Values),
+		Fingerprint: rs.Fingerprint,
+		Status:      rs.Status,
+		Owner:       rs.Owner,
+		LastError:   rs.LastError,
+		CreatedAt:   rs.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:   rs.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func LoadBalancerToDTO(lb models.LoadBalancer) dto.LoadBalancerResponse {
+	return dto.LoadBalancerResponse{
+		ID:               lb.ID,
+		OrganizationID:   lb.OrganizationID,
+		Name:             lb.Name,
+		Kind:             lb.Kind,
+		PublicIPAddress:  lb.PublicIPAddress,
+		PrivateIPAddress: lb.PrivateIPAddress,
+		CreatedAt:        lb.CreatedAt,
+		UpdatedAt:        lb.UpdatedAt,
+	}
+}

internal/models/api_key.go

@@ -7,17 +7,20 @@ import (
 )
 
 type APIKey struct {
-	ID         uuid.UUID  `gorm:"type:uuid;primaryKey;default:gen_random_uuid()" json:"id" format:"uuid"`
-	Name       string     `gorm:"not null;default:''" json:"name"`
-	KeyHash    string     `gorm:"uniqueIndex;not null" json:"-"`
-	Scope      string     `gorm:"not null;default:''" json:"scope"`
-	UserID     *uuid.UUID `json:"user_id,omitempty" format:"uuid"`
-	OrgID      *uuid.UUID `json:"org_id,omitempty" format:"uuid"`
-	SecretHash *string    `json:"-"`
-	ExpiresAt  *time.Time `json:"expires_at,omitempty" format:"date-time"`
-	Revoked    bool       `gorm:"not null;default:false" json:"revoked"`
-	Prefix     *string    `json:"prefix,omitempty"`
-	LastUsedAt *time.Time `json:"last_used_at,omitempty" format:"date-time"`
-	CreatedAt  time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()" format:"date-time"`
-	UpdatedAt  time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()" format:"date-time"`
+	ID          uuid.UUID  `gorm:"type:uuid;primaryKey;default:gen_random_uuid()" json:"id" format:"uuid"`
+	OrgID       *uuid.UUID `json:"org_id,omitempty" format:"uuid"`
+	Scope       string     `gorm:"not null;default:''" json:"scope"`
+	Purpose     string     `json:"purpose"`
+	ClusterID   *uuid.UUID `json:"cluster_id,omitempty"`
+	IsEphemeral bool       `json:"is_ephemeral"`
+	Name        string     `gorm:"not null;default:''" json:"name"`
+	KeyHash     string     `gorm:"uniqueIndex;not null" json:"-"`
+	SecretHash  *string    `json:"-"`
+	UserID      *uuid.UUID `json:"user_id,omitempty" format:"uuid"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty" format:"date-time"`
+	Revoked     bool       `gorm:"not null;default:false" json:"revoked"`
+	Prefix      *string    `json:"prefix,omitempty"`
+	LastUsedAt  *time.Time `json:"last_used_at,omitempty" format:"date-time"`
+	CreatedAt   time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()" format:"date-time"`
+	UpdatedAt   time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()" format:"date-time"`
 }

internal/web/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>AutoGlue</title>
-    <script type="module" crossorigin src="/assets/index-BwyDjDcq.js"></script>
+    <script type="module" crossorigin src="/assets/index-CyGsiYei.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/react-Dt2M6tWj.js">
     <link rel="stylesheet" crossorigin href="/assets/index-VHZG0dIU.css">
   </head>

ui/package.json

@@ -38,7 +38,7 @@
     "@radix-ui/react-toggle-group": "^1.1.11",
     "@radix-ui/react-tooltip": "^1.2.8",
     "@radix-ui/react-use-controllable-state": "^1.2.2",
-    "@tailwindcss/vite": "^4.1.17",
+    "@tailwindcss/vite": "^4.1.18",
     "@tanstack/react-query": "^5.90.12",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
@@ -46,13 +46,13 @@
     "date-fns": "^4.1.0",
     "embla-carousel-react": "^8.6.0",
     "input-otp": "^1.4.2",
-    "lucide-react": "^0.556.0",
-    "motion": "^12.23.25",
+    "lucide-react": "^0.561.0",
+    "motion": "^12.23.26",
     "next-themes": "^0.4.6",
     "rapidoc": "^9.3.8",
-    "react": "^19.2.1",
-    "react-day-picker": "^9.11.3",
-    "react-dom": "^19.2.1",
+    "react": "^19.2.3",
+    "react-day-picker": "^9.12.0",
+    "react-dom": "^19.2.3",
     "react-hook-form": "^7.68.0",
     "react-icons": "^5.5.0",
     "react-resizable-panels": "^3.0.6",
@@ -60,27 +60,27 @@
     "recharts": "2.15.4",
     "sonner": "^2.0.7",
     "tailwind-merge": "^3.4.0",
-    "tailwindcss": "^4.1.17",
+    "tailwindcss": "^4.1.18",
     "vaul": "^1.1.2",
     "zod": "^4.1.13"
   },
   "devDependencies": {
-    "@eslint/js": "9.39.1",
+    "@eslint/js": "9.39.2",
     "@ianvs/prettier-plugin-sort-imports": "4.7.0",
-    "@types/node": "24.10.1",
+    "@types/node": "25.0.1",
     "@types/react": "19.2.7",
     "@types/react-dom": "19.2.3",
-    "@vitejs/plugin-react": "5.1.1",
-    "eslint": "9.39.1",
+    "@vitejs/plugin-react": "5.1.2",
+    "eslint": "9.39.2",
     "eslint-plugin-react-hooks": "7.0.1",
     "eslint-plugin-react-refresh": "0.4.24",
     "globals": "16.5.0",
     "prettier": "3.7.4",
     "prettier-plugin-tailwindcss": "0.7.2",
-    "shadcn": "3.5.1",
+    "shadcn": "3.6.0",
     "tw-animate-css": "1.4.0",
     "typescript": "5.9.3",
-    "typescript-eslint": "8.48.1",
-    "vite": "7.2.6"
+    "typescript-eslint": "8.50.0",
+    "vite": "7.2.7"
   }
 }

ui/src/pages/cluster-page.tsx

@@ -1,76 +1,67 @@
+;
+
 // src/pages/ClustersPage.tsx
 
-import { useEffect, useMemo, useState } from "react"
-import { clustersApi } from "@/api/clusters"
-import { dnsApi } from "@/api/dns"
-import { loadBalancersApi } from "@/api/loadbalancers"
-import { nodePoolsApi } from "@/api/node_pools"
-import { serversApi } from "@/api/servers"
-import type {
-  DtoClusterResponse,
-  DtoDomainResponse,
-  DtoLoadBalancerResponse,
-  DtoNodePoolResponse,
-  DtoRecordSetResponse,
-  DtoServerResponse,
-} from "@/sdk"
-import { zodResolver } from "@hookform/resolvers/zod"
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
-import {
-  AlertCircle,
-  CheckCircle2,
-  CircleSlash2,
-  FileCode2,
-  Globe2,
-  Loader2,
-  MapPin,
-  Pencil,
-  Plus,
-  Search,
-  Server,
-  Wrench,
-} from "lucide-react"
-import { useForm } from "react-hook-form"
-import { toast } from "sonner"
-import { z } from "zod"
+import { useEffect, useMemo, useState } from "react";
+import { clustersApi } from "@/api/clusters";
+import { dnsApi } from "@/api/dns";
+import { loadBalancersApi } from "@/api/loadbalancers";
+import { nodePoolsApi } from "@/api/node_pools";
+import { serversApi } from "@/api/servers";
+import type { DtoClusterResponse, DtoDomainResponse, DtoLoadBalancerResponse, DtoNodePoolResponse, DtoRecordSetResponse, DtoServerResponse } from "@/sdk";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { AlertCircle, CheckCircle2, CircleSlash2, FileCode2, Globe2, Loader2, MapPin, Pencil, Plus, Search, Server, Wrench } from "lucide-react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+
+
+
+import { truncateMiddle } from "@/lib/utils";
+import { Badge } from "@/components/ui/badge.tsx";
+import { Button } from "@/components/ui/button.tsx";
+import { Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle, DialogTrigger } from "@/components/ui/dialog.tsx";
+import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from "@/components/ui/form.tsx";
+import { Input } from "@/components/ui/input.tsx";
+import { Label } from "@/components/ui/label.tsx";
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select.tsx";
+import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table.tsx";
+import { Textarea } from "@/components/ui/textarea.tsx";
+
+
+
+
+
+;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
-import { truncateMiddle } from "@/lib/utils"
-import { Badge } from "@/components/ui/badge.tsx"
-import { Button } from "@/components/ui/button.tsx"
-import {
-  Dialog,
-  DialogContent,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle,
-  DialogTrigger,
-} from "@/components/ui/dialog.tsx"
-import {
-  Form,
-  FormControl,
-  FormField,
-  FormItem,
-  FormLabel,
-  FormMessage,
-} from "@/components/ui/form.tsx"
-import { Input } from "@/components/ui/input.tsx"
-import { Label } from "@/components/ui/label.tsx"
-import {
-  Select,
-  SelectContent,
-  SelectItem,
-  SelectTrigger,
-  SelectValue,
-} from "@/components/ui/select.tsx"
-import {
-  Table,
-  TableBody,
-  TableCell,
-  TableHead,
-  TableHeader,
-  TableRow,
-} from "@/components/ui/table.tsx"
-import { Textarea } from "@/components/ui/textarea.tsx"
 
 // --- Schemas ---
 
@@ -863,7 +854,7 @@ export const ClustersPage = () => {
                 name="docker_image"
                 render={({ field }) => (
                   <FormItem>
-                    <FormLabel>Region</FormLabel>
+                    <FormLabel>Docker Image</FormLabel>
                     <FormControl>
                       <Input placeholder="ghcr.io/glueops/gluekube" {...field} />
                     </FormControl>
@@ -877,7 +868,7 @@ export const ClustersPage = () => {
                 name="docker_tag"
                 render={({ field }) => (
                   <FormItem>
-                    <FormLabel>Region</FormLabel>
+                    <FormLabel>Docker Tag</FormLabel>
                     <FormControl>
                       <Input placeholder="v1.33" {...field} />
                     </FormControl>

ui/src/pages/docs-page.tsx

@@ -1,17 +1,19 @@
-import { type FC, useEffect, useRef, useState } from "react"
+import { useEffect, useRef, useState, type FC } from "react"
 import { useTheme } from "next-themes"
 
-
 import { Button } from "@/components/ui/button"
 import { Input } from "@/components/ui/input"
 
-
 import "rapidoc"
 
-
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card.tsx"
-import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select.tsx"
-
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select.tsx"
 
 type RdThemeMode = "auto" | "light" | "dark"
 

ui/src/pages/org/api-keys.tsx

@@ -8,6 +8,7 @@ import { useForm } from "react-hook-form"
 import { toast } from "sonner"
 import { z } from "zod"
 
+import { Badge } from "@/components/ui/badge.tsx"
 import { Button } from "@/components/ui/button.tsx"
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card.tsx"
 import {
@@ -35,10 +36,12 @@ import {
   TableRow,
 } from "@/components/ui/table.tsx"
 
+// 1) No coerce; we’ll do the conversion in onChange
 const createSchema = z.object({
   name: z.string(),
-  expires_in_hours: z.number().min(1).max(43800),
+  expires_in_hours: z.number().int().min(1).max(43800),
 })
+
 type CreateValues = z.infer<typeof createSchema>
 
 export const OrgApiKeys = () => {
@@ -52,6 +55,7 @@ export const OrgApiKeys = () => {
     queryFn: () => withRefresh(() => api.listOrgKeys({ id: orgId! })),
   })
 
+  // 2) Form holds numbers directly
   const form = useForm<CreateValues>({
     resolver: zodResolver(createSchema),
     defaultValues: {
@@ -71,7 +75,7 @@ export const OrgApiKeys = () => {
       void qc.invalidateQueries({ queryKey: ["org:keys", orgId] })
       setShowSecret({ key: resp.org_key, secret: resp.org_secret })
       toast.success("Key created")
-      form.reset({ name: "", expires_in_hours: undefined })
+      form.reset({ name: "", expires_in_hours: 720 })
     },
     onError: (e: any) => toast.error(e?.message ?? "Failed to create key"),
   })
@@ -124,7 +128,17 @@ export const OrgApiKeys = () => {
                   <FormItem>
                     <FormLabel>Expires In (hours)</FormLabel>
                     <FormControl>
-                      <Input placeholder="e.g. 720" {...field} />
+                      <Input
+                        type="number"
+                        placeholder="e.g. 720"
+                        {...field}
+                        // 3) Convert string → number (or undefined if empty)
+                        value={field.value ?? ""}
+                        onChange={(e) => {
+                          const v = e.target.value
+                          field.onChange(v === "" ? undefined : Number(v))
+                        }}
+                      />
                     </FormControl>
                     <FormMessage />
                   </FormItem>
@@ -148,6 +162,7 @@ export const OrgApiKeys = () => {
                 <TableHead>Scope</TableHead>
                 <TableHead>Created</TableHead>
                 <TableHead>Expires</TableHead>
+                <TableHead>Status</TableHead>
                 <TableHead className="w-28" />
               </TableRow>
             </TableHeader>
@@ -160,6 +175,33 @@ export const OrgApiKeys = () => {
                   <TableCell>
                     {k.expires_at ? new Date(k.expires_at).toLocaleString() : "-"}
                   </TableCell>
+                  <TableCell>
+                    {(() => {
+                      const isExpired = k.expires_at ? new Date(k.expires_at) <= new Date() : false
+
+                      if (k.revoked) {
+                        return (
+                          <Badge variant="destructive" className="font-mono">
+                            Revoked
+                          </Badge>
+                        )
+                      }
+
+                      if (isExpired) {
+                        return (
+                          <Badge variant="outline" className="font-mono">
+                            Expired
+                          </Badge>
+                        )
+                      }
+
+                      return (
+                        <Badge variant="secondary" className="font-mono">
+                          Active
+                        </Badge>
+                      )
+                    })()}
+                  </TableCell>
                   <TableCell className="text-right">
                     <Button variant="destructive" size="sm" onClick={() => deleteMut.mutate(k.id!)}>
                       Delete