Implements AgentStatusService (TDD) that proxies cameleer3-server agent
registry API and queries ClickHouse for trace counts. Gracefully degrades
to UNKNOWN state when server is unreachable or DataSource is absent.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds domain config to RuntimeConfig/application.yml, expands AppResponse
with exposedPort and computed routeUrl, adds updateRouting to AppService,
and adds PATCH /{appId}/routing endpoint to AppController.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Quick start, full installation guide, Logto setup, first tenant
creation, app deployment walkthrough, API reference, tier limits,
development commands, and troubleshooting.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea Actions doesn't support upload/download-artifact v4.
Reverted to two-job approach (git clone + docker build).
Added BuildKit cache mount (--mount=type=cache,target=/root/.m2)
to Dockerfile so Maven deps persist across Docker builds on the
same runner. First build downloads, subsequent builds are cached.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Build job uploads the JAR, docker job downloads it and builds a
runtime-only image. Eliminates duplicate Maven dependency download
(~2min saving). The repo Dockerfile is kept for local builds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runs at 02:00 UTC daily (same schedule as cameleer3 and cameleer3-server).
Uses cameleer-build:1 image, excludes TestContainers integration tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add jardata volume, CAMELEER_AUTH_TOKEN/CAMELEER3_SERVER_ENDPOINT/CLICKHOUSE_URL env vars to cameleer-saas, CAMELEER_AUTH_TOKEN to cameleer3-server, runtime-base Dockerfile for agent-instrumented customer apps, and expand CI surefire excludes for new integration test classes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add DeploymentResponse DTO, DeploymentController at /api/apps/{appId} with POST /deploy (202), GET /deployments, GET /deployments/{id}, POST /stop, POST /restart (202), and integration tests covering empty list, 404, and 401 cases.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements DeploymentService with TDD: builds Docker images, starts containers with Cameleer env vars, polls for health, and handles stop/restart lifecycle. All 3 unit tests pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds AppController at /api/environments/{environmentId}/apps with POST (multipart
metadata+JAR), GET list, GET by ID, PUT jar reupload, and DELETE endpoints.
Also adds CreateAppRequest and AppResponse DTOs, integration tests (AppControllerTest),
and fixes ClickHouseConfig to be excluded in test profile via @Profile("!test").
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements AppService with JAR file storage, SHA-256 checksum computation,
tier-based app limit enforcement via LicenseDefaults, and audit logging.
Four TDD tests all pass covering creation, JAR validation, duplicate slug
rejection, and JAR re-upload.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements POST/GET/PATCH/DELETE endpoints at /api/tenants/{tenantId}/environments
with DTOs, mapping helpers, and a Spring Boot integration test (TestContainers).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements EnvironmentService with full CRUD, duplicate slug rejection,
tier-based environment count limits, and audit logging for create/update/delete.
Adds ENVIRONMENT_CREATE, ENVIRONMENT_UPDATE, ENVIRONMENT_DELETE to AuditAction.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add docker-java and ClickHouse JDBC dependencies, RuntimeConfig and
ClickHouseConfig Spring components, AsyncConfig with deployment thread
pool, and runtime/clickhouse config sections in application.yml.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
16-task plan covering environments, apps, deployments, Docker
runtime orchestrator, ClickHouse log ingestion, and CI updates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Build container has no Docker-in-Docker, so TestContainers can't
create PostgreSQL containers. Exclude integration tests in CI;
they run locally with Docker Desktop. Matches cameleer3-server
pattern of separating unit and integration tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use cameleer-build:1 (Maven 3.9 + Temurin 21) container instead of
setup-java. Use cameleer-docker-builder:1 for Docker image builds
with registry push. Aligns with cameleer3-server CI pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Docker Desktop 4.54 (Engine 29.1.2) raised minimum API from 1.24 to
1.44. TestContainers 1.20.5 defaults to 1.32 which gets rejected.
TC 1.21.4 handles API version negotiation natively.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Auth is now handled by Logto. Removed AuthController, AuthService,
and related DTOs. Integration tests use Spring Security JWT mocks.
Ed25519 JwtService retained for machine token signing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creates Logto organizations when tenants are created. Authenticates
via M2M client credentials. Gracefully skips when Logto is not
configured (dev/test mode).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
GET /auth/verify validates JWT and returns X-User-Id, X-User-Email
headers for downstream service routing via Traefik middleware.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TenantResolutionFilter extracts organization_id from Logto JWT and
resolves to local tenant via TenantService. ThreadLocal TenantContext
available throughout request lifecycle.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dual auth: machine endpoints use Ed25519 JWT filter, all other API
endpoints use Spring Security OAuth2 Resource Server with Logto OIDC.
Mock JwtDecoder provided for test isolation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
POST /api/tenants/{id}/license generates Ed25519-signed license JWT.
GET /api/tenants/{id}/license returns active license.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Generates tier-aware license tokens with features/limits per tier.
Verifies signature and expiry. Audit logged.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Licenses table linked to tenants with JSONB features/limits, Ed25519
signed token storage, and revocation support.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keys are loaded from PEM files when CAMELEER_JWT_PRIVATE_KEY_PATH and
CAMELEER_JWT_PUBLIC_KEY_PATH are set. Falls back to ephemeral key
generation for development.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Architecture spec covers Docker+K8s dual deployment with build-vs-buy
decisions (Logto, Traefik, Stripe, deferred Lago/Vault). Phase 2 plan
has 12 implementation tasks for tenants, identity, and licensing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
