feat: spawn in ctrl

[Flo4604]

What does this PR do?

This adds an fallback for the ctrl plane to spawn builds locally, this can either be docker OR k8s

Testing can be done locally by setting UNKEY_METALD_BACKEND to docker or k8s in the ctrl plane

When spinning up an k8s cluster you can have a look at running make dev with the changes from #3943

This also works with external images aslong as they are public in the k8s provider just switch the image with whatever image you want to pull e.g ghcr.io/unkeyed/best-api:v1.1.0

And then adjusting sudo nano /etc/hosts to set dns to 127.0.0.1 for whatever domain the deploy process gave you and running sudo kubectl port-forward -n unkey service/gw 80:80 443:443 and then curling the the domain on port 80.

This also does cleanup for the pkg/partition/db folder by removing stuff we already have in pkg/db, also renames generated bulk queries from .sql.go to sql_generated.go

Adds cloudflare DNS Challenge solver so we can do our wildcard SSL cert

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• New Features

  • Cloudflare DNS‑01 ACME support with API token and wildcard handling; selectable deployment backend (MetalD, Docker, Kubernetes); configurable default domain; HTTP proxy toggle to allow plain HTTP when TLS termination is disabled.

• Improvements

  • Auto-generated deployment hostnames, deployments report “ready” when VMs run; ACME worker supports DNS‑01 challenges; Linux (linux/amd64) build option; sanitized, length‑bounded Docker tags; bulk DB ops for gateways/vms/certs; tighter cache TTLs; HTTP → HTTPS now 308; GW HTTPS port default updated.

• Chores

  • Added Docker & Kubernetes client dependencies and codegen/plugin for bulk DB operations.

Summary by CodeRabbit

• New Features

  • ACME now supports Cloudflare DNS-01 verification with configurable API token.
  • Selectable deployment backends (Kubernetes or Docker) with improved “ready” status handling.
  • Default domain for auto-generated hostnames; automatic wildcard insertion.
  • Gateway can proxy plain HTTP when TLS is disabled; HTTPS redirects use 308.
  • Deploy CLI: linux/amd64 build flag; sanitized, length-safe Docker tags.

• Improvements

  • Faster, finer-grained caching for gateway routing and VMs.
  • Streamlined bulk domain and gateway updates; JSON-based gateway configs.
  • GW HTTPS port default set to 6433.

• Refactor

  • ACME challenge model and queries simplified (domain-based), enabling type filtering.
  • Backend architecture modularized.

• Chores

  • Added Docker/Kubernetes client dependencies.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6576683

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Ready	Preview	Comment	Sep 12, 2025 11:12am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
engineering	Ignored	Preview		Sep 12, 2025 11:12am

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds pluggable deployment backends (MetalD, Docker, K8s), Cloudflare DNS-01 ACME support and provider, bulk DB operations via an sqlc plugin (bulk insert/upsert), schema/ACME query/signature changes (domain_id primary key), GW HTTP proxy toggle, Docker tag sanitization and Linux build flag, and numerous generated SQL helpers and codegen config.

Changes

Cohort / File(s)	Summary
CTRL config & CLI wiring go/apps/ctrl/config.go, go/cmd/ctrl/main.go	Add MetaldBackend and DefaultDomain; replace AcmeEnabled bool with Acme AcmeConfig{Cloudflare{Enabled, ApiToken}}; wire new CLI flags.
Ctrl run & ACME wiring go/apps/ctrl/run.go	Build deploy workflow using deployment.DeployWorkflowConfig; wire MetaldBackend/DefaultDomain; create Cloudflare provider when configured and enable DNS-01 challenge handling; ensure wildcard domain entry when DefaultDomain set.
Deploy workflow & request changes go/apps/ctrl/services/deployment/deploy_workflow.go, .../create_deployment.go	Introduce DeployWorkflowConfig; replace direct MetalD client with DeploymentBackend abstraction; add defaultDomain; Domain field added to DeployRequest; bulk domain/gateway processing, protojson gateway config marshaling, polling to "ready".
Deployment backend abstraction & factory go/apps/ctrl/services/deployment/backend_adapter.go, .../backends/interface.go	New DeploymentBackend interface, ValidateBackendType, NewDeploymentBackend factory; constants for backend types and backend selection logic.
Concrete local backends go/apps/ctrl/services/deployment/backends/docker.go, .../backends/k8s.go	Add Docker and Kubernetes backend implementations with Create/Get/Delete flows, resource naming/cleanup, and constructors.
GW router toggle & services wiring go/apps/gw/router/register.go, go/apps/gw/router/services.go, go/apps/gw/run.go	Add Services.HttpProxy flag (set to !cfg.EnableTLS) and conditional plaintext proxying vs HTTPS redirect (308); adjust router initialization.
GW services adjustments go/apps/gw/services/*	Cache TTL/Clock changes; partition-db import aliasing (pdb) and switching partition queries to pdb.*; use protojson for gateway config marshaling; certmanager DB import fixes.
ACME providers & workflow go/apps/ctrl/services/acme/providers/cloudflare_provider.go, .../http_provider.go, .../certificate_workflow.go	Add CloudflareProvider and config; HTTPProvider implements ProviderTimeout and clears tokens on cleanup; certificate workflow renamed steps and now completes challenges by domain_id using new DB methods.
DB bulk plugin and generated code go/pkg/partition/db/sqlc.json, go/pkg/partition/db/querier_bulk_generated.go, go/pkg/partition/db/*_sql_generated.go, go/pkg/partition/db/queries.go	Enable sqlc bulk-insert plugin; add BulkQuerier/BulkQueries; generated methods InsertCertificates, UpsertGateway (now includes workspace_id), UpsertVM; generated filenames changed to *_generated.go.
Partition DB surface & removals go/pkg/partition/db/interface.go, .../database.go, .../replica.go, .../handle_err_*.go	Remove legacy partition DB wrapper, Replica type and helper IsNotFound/IsDuplicateKeyError; expose type DBTX = maindb.DBTX.
ACME query/signature & schema changes go/pkg/db/*acme_challenge*_*.go, go/pkg/db/queries/*, go/pkg/db/schema.sql, internal/db/src/schema/acme_challenges.ts	ListExecutableChallenges now accepts verificationTypes and returns Type; add ClearAcmeChallengeTokens and UpdateAcmeChallengeVerifiedWithExpiry; remove id from acme_challenges, make domain_id primary key, shorten varchar lengths, and add status index; generated models updated.
SQLC query edits & generated removals go/pkg/db/queries/acme_challenge_update_expires_at.sql, go/pkg/db/acme_challenge_update_expires_at.sql_generated.go	Removed query and generated updater that used numeric id for expires_at updates; replaced by domain_id-based update.
Generator tweaks go/pkg/db/plugins/bulk-insert/generator.go, .../README.md	Rename generated filenames to *_generated.go; update compile-time assertion/comments to reference BulkQueries.
Docker tag & deploy CLI go/cmd/deploy/build_docker.go, go/cmd/deploy/main.go	Add Docker tag sanitization and length cap; add --linux flag and DeployOptions.Linux; allow --platform linux/amd64 for builds.
Go module deps go/go.mod	Add Docker/Kubernetes client libraries and many indirect dependencies; add local module replace for deploy TLS package.
SQL bulk helpers & gateway upsert changes go/pkg/partition/db/bulk_*.sql_generated.go, go/pkg/partition/db/gateway_upsert.sql_generated.go	Add generated bulk helpers: InsertCertificates, UpsertGateway (now accepts workspace_id), UpsertVM; UpsertGateway SQL now includes workspace_id.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Operator
  participant CtrlRun as ctrl.Run
  participant WF as DeployWorkflow
  participant Factory as NewDeploymentBackend
  participant BE as DeploymentBackend
  participant PDB as Partition DB (Bulk)

  Operator->>CtrlRun: start with Config{MetaldBackend, DefaultDomain, MetalD client}
  CtrlRun->>WF: NewDeployWorkflow(DeployWorkflowConfig)
  WF->>Factory: NewDeploymentBackend(MetalD client, MetaldBackend)
  Factory-->>WF: DeploymentBackend (MetalD or Local Docker/K8s)
  alt Create deployment
    WF->>BE: CreateDeployment(request)
    BE-->>WF: VM IDs / initial info
    WF->>PDB: Bulk insert VMs / UpsertGateway / InsertCertificates
    loop Poll until all RUNNING
      WF->>BE: GetDeployment(deploymentID)
      BE-->>WF: VM states
      WF->>PDB: Bulk upsert VM statuses
    end
    WF->>PDB: Mark deployment ready
  end

Loading

sequenceDiagram
  autonumber
  participant Client
  participant GW as Gateway (HTTP)
  participant Router as Router.Services

  Client->>GW: GET /
  alt Services.HttpProxy = true
    GW->>Router: proxyHandler (plaintext HTTP proxy)
  else
    GW-->>Client: 308 Permanent Redirect to HTTPS
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: bulk insert plugin for sqlc #3631 — sqlc bulk-insert plugin and generated BulkQueries helpers; directly related to the new bulk SQL generation and API surface.
• feat: e2e deploy with docker works #3567 — Docker-based deployment provisioning; closely related to the Docker backend implementation added here.
• feat: update protos and control plane #3901 — Migration to metald v1 client; intersects with MetalD client usage and deployment backend selection.

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description contains a useful high-level summary and manual testing notes but does not follow the repository's required template: it lacks a "Fixes #…" issue reference, the "Type of change" checkboxes are not selected, the "How should this be tested?" section still contains placeholder lines instead of concrete reproducible steps, and the required checklist items remain unchecked. Because those template-required fields and detailed test instructions are missing or incomplete, the description is not sufficient for a merge decision.	Please update the PR description to use the provided template: add a linked issue (Fixes #), mark the appropriate "Type of change" checkbox(es), replace the "How should this be tested?" placeholders with concrete reproducible steps (commands, env vars, expected results), and complete or explain the required checklist entries; after that, request a re-review.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "feat: spawn in ctrl" is short and directly pertains to the primary change in this PR (adding a spawn/local-backend capability to the control plane), so it accurately summarizes the main feature and is concise enough for changelog/history scanning. It is slightly terse and could be clearer by mentioning "local spawn backend" or the supported backends (docker/k8s), but it meets the repository's title criteria.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/spawn-in-ctrl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[coderabbitai]

Actionable comments posted: 41

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (23)

go/apps/gw/services/caches/caches.go (6)

84-85: Error context nit: rename “routing cache” to “gateway config cache”.

Minor clarity fix.

-        return Caches{}, fmt.Errorf("failed to create routing cache: %w", err)
+        return Caches{}, fmt.Errorf("failed to create gateway config cache: %w", err)

---

111-118: Key verification cache: confirm revocation latency and invalidation path.

1m fresh reduces churn, but ensure worst-case key revocation latency ≤ 1m or that revocations actively invalidate entries (event/explicit delete).

I can sketch an invalidation hook on revoke events if you want.

---

119-121: Add error context for verification cache init.

For consistency and better logs.

-    if err != nil {
-        return Caches{}, err
-    }
+    if err != nil {
+        return Caches{}, fmt.Errorf("failed to create verification key cache: %w", err)
+    }

---

59-74: Doc example fix: field name mismatch.

Example uses KeyByHash, but the struct field is VerificationKeyByHash.

-//  // Use the caches
-//  // key, err := caches.KeyByHash.Get(ctx, "some-hash")
+//  // Use the caches
+//  // key, err := caches.VerificationKeyByHash.Get(ctx, "some-hash")

---

74-82: Default nil Clock to a real clock in caches.New (go/internal/services/caches/caches.go)

Resolve config.Clock locally and pass it to every cache.New in that function:

clk := config.Clock
if clk == nil {
clk = clock.New()
}

Replace Clock: config.Clock → Clock: clk for each cache.New call in this New function.

---

75-83: GatewayConfig TTLs: Stale < Fresh and too small — increase stale to avoid origin stampedes.

• The cache implements inflight coalescing for background revalidations (inflightRefreshes + revalidateC in go/pkg/cache/cache.go) but DOES NOT coalesce concurrent synchronous misses. Stale=30s removes the fail‑open cushion and can cause dogpiles; Stale must be >= Fresh.
  Apply:

-        Fresh:    time.Minute,
-        Stale:    time.Second * 30,
+        Fresh:    time.Minute,
+        Stale:    5 * time.Minute,

File: go/apps/gw/services/caches/caches.go (around lines 75-83)

go/pkg/db/plugins/bulk-insert/generator.go (2)

103-109: Don’t silently drop parse errors.

generateBulkInsertFunction returns nil on parser failure, which hides errors and produces partial outputs. Prefer surfacing diagnostics or failing generation to avoid drifting generated code.

Apply failure propagation (example pattern):

- parsedQuery, err := parser.Parse(query)
- if err != nil {
-   return nil
- }
+ parsedQuery, err := parser.Parse(query)
+ if err != nil {
+   // bubble up with context so CI fails loudly
+   panic(fmt.Errorf("bulk-insert: parse failed for %q: %w", query.Name, err))
+ }

---

29-36: Plugin options are ignored; read them from the request.

sqlc.json passes "emit_methods_with_db_argument": true, but Generator never reads plugin options. Wire Options from the plugin request so config changes take effect without code edits (and allow overriding Package when needed).

I can draft a small helper to decode the plugin’s options map into Options if you confirm the plugin-sdk fields you want to use.

go/apps/ctrl/services/deployment/create_deployment.go (4)

66-74: Comment is inaccurate about the cutoff timestamp.

1_000_000_000_000 ms is ~Sep 9, 2001, not “January 1, 2001”. Fix the comment to avoid confusion.

- // This corresponds to January 1, 2001 in milliseconds
+ // ~Sep 9, 2001 in milliseconds (1e12 ms)

---

113-115: PII persistence risk: username/avatar URL.

Storing author username and avatar URL is PII and conflicts with the TODO. Either drop these fields, store ephemeral in-memory data, or replace with a stable hash/ID. Ensure a documented retention policy if you must store them.

I can provide a patch to omit these columns and backfill via GitHub at read-time if desired.

---

129-137: Validate/sanitize Docker image tag from the API.

CLI now sanitizes tags, but CreateDeployment accepts arbitrary docker_image. Validate here (e.g., using github.com/distribution/reference) to reject invalid or dangerous refs early.

I can wire a small validator to parse normalized references and return CodeInvalidArgument on failure.

---

151-154: Persist execution ID (or last-start-at) for observability.

Log-only execution IDs hinder debugging and UX. Persist execution_id or a last_start timestamp on the deployment to correlate runs and surface state in the UI.

go/go.mod (1)

3-3: Invalid go directive: patch versions are not allowed

go 1.24.4 is invalid. The go directive only accepts major.minor. If you need a specific patch, use the toolchain directive.

Apply this diff:

-go 1.24.4
+go 1.24
+toolchain go1.24.4

go/apps/ctrl/config.go (1)

67-70: Validate allowed values for Metald fallback

Currently Validate() ignores invalid values. Restrict to "", "docker", or "k8s".

Apply this diff:

 func (c Config) Validate() error {
-
-	return nil
+	switch strings.ToLower(c.MetaldFallback) {
+	case "", "docker", "k8s":
+	default:
+		return fmt.Errorf("invalid MetaldFallback %q (allowed: \"docker\", \"k8s\", or empty)", c.MetaldFallback)
+	}
+	return nil
 }

Add imports at top:

 import (
 	"github.com/unkeyed/unkey/go/pkg/clock"
 	"github.com/unkeyed/unkey/go/pkg/tls"
+	"fmt"
+	"strings"
 )

go/apps/gw/services/certmanager/certmanager.go (2)

56-76: Bug: returns (nil, nil) when cache holds Null sentinel

When hit == cache.Null, err is nil, so return nil, err yields a nil error and caller may dereference a nil certificate.

Apply this diff:

 	cert, hit, err := s.cache.SWR(ctx, domain, func(ctx context.Context) (tls.Certificate, error) {
 		row, err := pdb.Query.FindCertificateByHostname(ctx, s.db.RO(), domain)
 		if err != nil {
 			return tls.Certificate{}, err
 		}
@@
 		return cert, nil
 	}, caches.DefaultFindFirstOp)
 
 	if err != nil {
 		// todo: handle error
@@
-	if hit == cache.Null {
-		return nil, err
-	}
+	if hit == cache.Null {
+		// propagate a clear not-found error; adjust to your repo's sentinel as needed
+		return nil, db.ErrNotFound
+	}
 
 	return &cert, nil

Also applies to: 99-104

---

49-54: Normalize domain to lowercase before lookup/caching

SNI is case-insensitive. Lowercasing avoids cache misses and duplicate reads.

Apply this diff:

 func (s *service) GetCertificate(ctx context.Context, domain string) (*tls.Certificate, error) {
+	domain = strings.ToLower(domain)
 	if s.defaultCertDomain != "" {
 		if strings.HasSuffix(domain, s.defaultCertDomain) && domain != "*."+s.defaultCertDomain {
 			return s.GetCertificate(ctx, "*."+s.defaultCertDomain)
 		}
 	}

go/pkg/partition/db/queries.go (1)

31-32: Consider documenting BulkQuery usage

A brief comment mirroring Query’s examples would help discoverability.

Apply this diff:

-var BulkQuery BulkQuerier = &BulkQueries{}
+// BulkQuery provides access to batch operations generated by sqlc.
+// Example:
+//   err := db.BulkQuery.InsertCertificates(ctx, database.RW(), paramsSlice)
+var BulkQuery BulkQuerier = &BulkQueries{}

go/apps/gw/services/routing/service.go (2)

104-129: Nil/empty VM addresses not filtered — leads to invalid URLs

Address is sql.NullString. Without checking Valid/non-empty, you may construct "http://". Filter such VMs.

-	availableVms := make([]pdb.Vm, 0)
+	availableVms := make([]pdb.Vm, 0, len(config.Vms))
 	for _, vm := range config.Vms {
 		vm, hit, err := s.vmCache.SWR(ctx, vm.Id, func(ctx context.Context) (pdb.Vm, error) {
 			// refactor: this is bad BAD, we should really add a getMany method to the cache
 			return pdb.Query.FindVMById(ctx, s.db.RO(), vm.Id)
 		}, caches.DefaultFindFirstOp)
@@
-		if vm.Status != pdb.VmsStatusRunning {
+		if vm.Status != pdb.VmsStatusRunning {
 			continue
 		}
+		if !vm.Address.Valid || vm.Address.String == "" {
+			continue
+		}
 
 		availableVms = append(availableVms, vm)
 	}

---

135-145: Be robust to pre-schemed addresses and seed RNG

• If Address already includes a scheme, current code yields an invalid URL (e.g., "http://http://...").
• math/rand default source is deterministic; seed once.

-	selectedVM := availableVms[rand.Intn(len(availableVms))]
-
-	fullUrl := fmt.Sprintf("http://%s", selectedVM.Address.String)
-
-	targetURL, err := url.Parse(fullUrl)
+	selectedVM := availableVms[rand.Intn(len(availableVms))]
+	raw := selectedVM.Address.String
+	u, perr := url.Parse(raw)
+	if perr == nil && u.Scheme != "" {
+		targetURL = u
+	} else {
+		targetURL, err = url.Parse("http://" + raw)
+	}
 	if err != nil {
-		return nil, fmt.Errorf("invalid VM URL %s: %w", fullUrl, err)
+		return nil, fmt.Errorf("invalid VM URL %s: %w", raw, err)
 	}

Also seed once in this package (e.g., in an init):

func init() { rand.Seed(time.Now().UnixNano()) }

go/apps/ctrl/run.go (3)

174-186: Dev auth headers should not be sent in SPIFFE/TLS mode; gate and downgrade log noise

The hardcoded Authorization/X-Tenant-ID headers are always injected and logged at info level. This risks leaking dev-only behavior into prod and spams logs per call. Only add the interceptor for local dev (plain HTTP) and log at debug.

Apply this diff:

-	metaldClient := metaldv1connect.NewVmServiceClient(
-		httpClient,
-		cfg.MetaldAddress,
-		connect.WithInterceptors(connect.UnaryInterceptorFunc(func(next connect.UnaryFunc) connect.UnaryFunc {
-			return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
-				logger.Info("Adding auth headers to metald request", "procedure", req.Spec().Procedure)
-				req.Header().Set("Authorization", "Bearer dev_user_ctrl")
-				req.Header().Set("X-Tenant-ID", "ctrl-tenant")
-				return next(ctx, req)
-			}
-		})),
-	)
+	var metaldOpts []connect.ClientOption
+	// Only attach dev headers when running without SPIFFE (local dev)
+	if cfg.SPIFFESocketPath == "" {
+		metaldOpts = append(metaldOpts,
+			connect.WithInterceptors(connect.UnaryInterceptorFunc(func(next connect.UnaryFunc) connect.UnaryFunc {
+				return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+					logger.Debug("Adding dev auth headers to metald request", "procedure", req.Spec().Procedure)
+					req.Header().Set("Authorization", "Bearer dev_user_ctrl")
+					req.Header().Set("X-Tenant-ID", "ctrl-tenant")
+					return next(ctx, req)
+				}
+			})),
+		)
+	}
+	metaldClient := metaldv1connect.NewVmServiceClient(httpClient, cfg.MetaldAddress, metaldOpts...)

---

146-166: Close TLS provider on shutdown to avoid leaks

If deployTLS.NewProvider starts background watchers, it likely needs a Close. Register it with shutdowns.

Example patch (safe, reflection-free):

-		tlsProvider, tlsErr := deployTLS.NewProvider(ctx, tlsConfig)
+		tlsProvider, tlsErr := deployTLS.NewProvider(ctx, tlsConfig)
 		if tlsErr != nil {
 			return fmt.Errorf("failed to create TLS provider for metald: %w", tlsErr)
 		}
 
 		httpClient = tlsProvider.HTTPClient()
 		authMode = "SPIRE"
+		// Best-effort cleanup
+		if closer, ok := any(tlsProvider).(interface{ Close() error }); ok {
+			shutdowns.Register(func(ctx context.Context) error { return closer.Close() })
+		}

---

336-339: Wrong variable logged; misleading message

Logs err instead of registerErr, and the message references “daily report” instead of certificate challenge.

Apply this diff:

-			if registerErr != nil {
-				logger.Error("Failed to register daily report cron job", "error", err)
+			if registerErr != nil {
+				logger.Error("Failed to register certificate-challenge cron job", "error", registerErr)
 				return
 			}

go/apps/ctrl/services/deployment/deploy_workflow.go (1)

104-115: Use StepVoid for write-only steps

These steps return no value; StepVoid removes boilerplate and reduces allocations.

Apply:

-	_, err = hydra.Step(ctx, "update-version-building", func(stepCtx context.Context) (*struct{}, error) {
-		updateErr := db.Query.UpdateDeploymentStatus(stepCtx, w.db.RW(), db.UpdateDeploymentStatusParams{
+	err = hydra.StepVoid(ctx, "update-version-building", func(stepCtx context.Context) error {
+		return db.Query.UpdateDeploymentStatus(stepCtx, w.db.RW(), db.UpdateDeploymentStatusParams{
 			ID:        req.DeploymentID,
 			Status:    db.DeploymentsStatusBuilding,
 			UpdatedAt: sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
 		})
-		if updateErr != nil {
-			return nil, fmt.Errorf("failed to update version status to building: %w", updateErr)
-		}
-		return &struct{}{}, nil
 	})

-	_, err = hydra.Step(ctx, "update-version-deploying", func(stepCtx context.Context) (*struct{}, error) {
-		deployingErr := db.Query.UpdateDeploymentStatus(stepCtx, w.db.RW(), db.UpdateDeploymentStatusParams{
+	err = hydra.StepVoid(ctx, "update-version-deploying", func(stepCtx context.Context) error {
+		return db.Query.UpdateDeploymentStatus(stepCtx, w.db.RW(), db.UpdateDeploymentStatusParams{
 			ID:        req.DeploymentID,
 			Status:    db.DeploymentsStatusDeploying,
 			UpdatedAt: sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
 		})
-		if deployingErr != nil {
-			return nil, fmt.Errorf("failed to update version status to deploying: %w", deployingErr)
-		}
-		return &struct{}{}, nil
 	})

Also applies to: 153-164

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc04590 and 71806b0.

⛔ Files ignored due to path filters (1)

• go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (35)

• go/apps/ctrl/config.go (1 hunks)
• go/apps/ctrl/run.go (1 hunks)
• go/apps/ctrl/services/deployment/backend.go (1 hunks)
• go/apps/ctrl/services/deployment/create_deployment.go (2 hunks)
• go/apps/ctrl/services/deployment/deploy_workflow.go (7 hunks)
• go/apps/ctrl/services/deployment/fallbacks/docker.go (1 hunks)
• go/apps/ctrl/services/deployment/fallbacks/interface.go (1 hunks)
• go/apps/ctrl/services/deployment/fallbacks/k8s.go (1 hunks)
• go/apps/gw/router/register.go (1 hunks)
• go/apps/gw/router/services.go (1 hunks)
• go/apps/gw/run.go (2 hunks)
• go/apps/gw/services/caches/caches.go (3 hunks)
• go/apps/gw/services/certmanager/certmanager.go (2 hunks)
• go/apps/gw/services/certmanager/interface.go (1 hunks)
• go/apps/gw/services/routing/interface.go (2 hunks)
• go/apps/gw/services/routing/service.go (5 hunks)
• go/cmd/ctrl/main.go (2 hunks)
• go/cmd/deploy/build_docker.go (2 hunks)
• go/cmd/gw/main.go (1 hunks)
• go/go.mod (5 hunks)
• go/pkg/db/plugins/bulk-insert/generator.go (1 hunks)
• go/pkg/partition/db/bulk_certificate_insert.sql_generated.go (1 hunks)
• go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (1 hunks)
• go/pkg/partition/db/bulk_vm_upsert.sql_generated.go (1 hunks)
• go/pkg/partition/db/database.go (1 hunks)
• go/pkg/partition/db/gateway_upsert.sql_generated.go (1 hunks)
• go/pkg/partition/db/handle_err_duplicate_key.go (0 hunks)
• go/pkg/partition/db/handle_err_no_rows.go (0 hunks)
• go/pkg/partition/db/interface.go (0 hunks)
• go/pkg/partition/db/querier_bulk_generated.go (1 hunks)
• go/pkg/partition/db/querier_generated.go (1 hunks)
• go/pkg/partition/db/queries.go (2 hunks)
• go/pkg/partition/db/queries/gateway_upsert.sql (1 hunks)
• go/pkg/partition/db/replica.go (0 hunks)
• go/pkg/partition/db/sqlc.json (2 hunks)

💤 Files with no reviewable changes (4)

• go/pkg/partition/db/handle_err_no_rows.go
• go/pkg/partition/db/interface.go
• go/pkg/partition/db/replica.go
• go/pkg/partition/db/handle_err_duplicate_key.go

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-15T14:59:30.212Z

Learnt from: chronark
PR: unkeyed/unkey#3560
File: go/deploy/metald/internal/database/repository.go:0-0
Timestamp: 2025-07-15T14:59:30.212Z
Learning: go/deploy/metald cannot currently import helpers from go/pkg/db because it is not yet part of the main Go module; avoid suggesting such imports until the modules are unified.

Applied to files:

• go/apps/gw/services/certmanager/interface.go
• go/apps/gw/services/certmanager/certmanager.go

📚 Learning: 2025-07-17T14:24:20.403Z

Learnt from: Flo4604
PR: unkeyed/unkey#3631
File: go/pkg/db/bulk_keyring_insert.sql.go:23-25
Timestamp: 2025-07-17T14:24:20.403Z
Learning: In go/pkg/db/bulk_keyring_insert.sql.go and similar bulk insert generated files, hardcoded zero values for fields like size_approx and size_last_updated_at are intentional and reflect the original SQL query structure, not missing parameters.

Applied to files:

• go/pkg/partition/db/querier_bulk_generated.go
• go/pkg/partition/db/bulk_certificate_insert.sql_generated.go
• go/pkg/db/plugins/bulk-insert/generator.go

🧬 Code graph analysis (16)

go/pkg/partition/db/queries.go (1)

go/pkg/partition/db/querier_bulk_generated.go (1)

• BulkQuerier (8-12)

go/apps/ctrl/services/deployment/fallbacks/docker.go (1)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/pkg/partition/db/querier_bulk_generated.go (5)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/certificate_insert.sql_generated.go (1)

• InsertCertificateParams (23-30)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (17-21)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/apps/ctrl/run.go (2)

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

• NewDeployWorkflow (39-55)
• DeployWorkflowConfig (30-36)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (3)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (17-21)

go/pkg/partition/db/bulk_certificate_insert.sql_generated.go (4)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/certificate_insert.sql_generated.go (1)

• InsertCertificateParams (23-30)

go/pkg/partition/db/models_generated.go (1)

• Certificate (104-112)

go/cmd/deploy/build_docker.go (2)

go/cmd/deploy/main.go (1)

• DeployOptions (83-98)

go/pkg/git/git.go (1)

• Info (9-15)

go/apps/gw/run.go (4)

go/apps/gw/services/certmanager/certmanager.go (1)

• New (38-46)

go/apps/gw/services/routing/service.go (1)

• New (33-49)

go/apps/gw/services/certmanager/interface.go (1)

• Config (18-35)

go/apps/gw/services/routing/interface.go (1)

• Config (25-32)

go/apps/gw/services/routing/interface.go (1)

go/pkg/partition/db/models_generated.go (1)

• Vm (136-144)

go/pkg/partition/db/bulk_vm_upsert.sql_generated.go (3)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/apps/ctrl/services/deployment/fallbacks/interface.go (4)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend.go (1)

• DeploymentBackend (15-18)

go/apps/ctrl/services/deployment/fallbacks/k8s.go (1)

• NewK8sBackend (43-68)

go/apps/ctrl/services/deployment/fallbacks/docker.go (1)

• NewDockerBackend (38-60)

go/apps/gw/services/routing/service.go (2)

go/pkg/partition/db/models_generated.go (2)

• Vm (136-144)
• VmsStatusRunning (63-63)

go/apps/gw/services/routing/interface.go (1)

• Config (25-32)

go/apps/ctrl/services/deployment/fallbacks/k8s.go (1)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend.go (2)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/fallbacks/interface.go (2)

• DeploymentBackend (12-24)
• NewBackend (27-36)

go/apps/ctrl/services/deployment/deploy_workflow.go (9)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend.go (2)

• DeploymentBackend (15-18)
• NewDeploymentBackend (97-109)

go/gen/proto/metald/v1/deployment.pb.go (9)

• CreateDeploymentRequest (100-105)
• CreateDeploymentRequest (118-118)
• CreateDeploymentRequest (133-135)
• DeploymentRequest (24-33)
• DeploymentRequest (46-46)
• DeploymentRequest (61-63)
• GetDeploymentResponse_Vm (452-460)
• GetDeploymentResponse_Vm (473-473)
• GetDeploymentResponse_Vm (488-490)

go/pkg/git/git.go (2)

• Info (9-15)
• GetInfo (19-51)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/partition/db/models_generated.go (1)

• VmsStatusRunning (63-63)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (17-21)

go/cmd/ctrl/main.go (1)

go/pkg/cli/flag.go (3)

• String (376-408)
• EnvVar (287-304)
• Bool (411-447)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Packages / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Test Go API Local / Test

🔇 Additional comments (26)

go/apps/gw/services/caches/caches.go (1)

87-95: VM cache TTLs: validate backend capacity with 10s fresh.

10s fresh + 1m stale increases refresh frequency. Ensure the loader coalesces concurrent refreshes and continues serving stale on loader errors.

If needed, consider 20–30s fresh to reduce churn.

go/pkg/db/plugins/bulk-insert/generator.go (2)

148-153: Filename suffix change aligns with sqlc.json.

Renaming to bulk_%s_generated.go is consistent with output_files_suffix "_generated" and the examples added in this PR. Good for tooling and grepability.

---

171-206: Resolved — DBTX and BulkQueries exist.
DBTX is defined at go/pkg/db/interface.go:29 and BulkQueries at go/pkg/db/queries.go:4; the generated DBTX reference and (*BulkQueries)(nil) assertion are valid.

go/apps/ctrl/services/deployment/create_deployment.go (2)

90-96: LGTM: defensive trimming and bounds.

Length capping and trimming on commit metadata reduce DB/PII risk and index bloat.

---

139-144: Make StartWorkflow idempotent by using a deterministic execution ID

No hydra option like WithWorkflowID/WithIdempotency was found in go/pkg/hydra — update go/apps/ctrl/services/deployment/create_deployment.go (lines 139–144) to pass a deterministic execution/idempotency key (derived from deploymentID) to StartWorkflow; if hydra lacks that API, add an Engine/StartWorkflow option to accept and persist an explicit execution ID for deduplication on retries.

go/pkg/partition/db/sqlc.json (1)

8-16: Enabling the bulk-insert plugin in codegen is correct.

Matches the generator’s new filename scheme and keeps generated artifacts isolated via “_generated”.

go/go.mod (1)

77-86: github.com/containerd/errdefs/pkg is a published module — do not drop it blindly.

go/go.mod:78 and go/go.sum include github.com/containerd/errdefs/pkg v0.3.0 (indirect); the pkg module is published upstream. (libraries.io) No direct imports found in the repo; run cd go && go mod why -m github.com/containerd/errdefs/pkg to trace which dependency requires it.

Likely an incorrect or invalid review comment.

go/apps/gw/services/certmanager/interface.go (1)

8-8: Import path switch to unified db package looks good

Typing DB db.Database against github.com/unkeyed/unkey/go/pkg/db matches the ongoing migration away from pkg/partition/db.

go/pkg/partition/db/querier_generated.go (1)

21-26: ```shell
#!/bin/bash
set -euo pipefail

echo "PWD: $(pwd)"
echo
echo "---- list go/pkg/partition/db ----"
ls -la go/pkg/partition/db || true
echo

echo "---- search for non-generated .sql files that mention gateway(s) ----"
rg -n --hidden -S --glob '!**/*.sql_generated.go' 'gateway|gateways' go/pkg/partition/db || true
echo

echo "---- search all .sql files in repo for 'gateways' or 'gateway' (show file:line) ----"
rg -n --hidden -S --glob '**/*.sql' 'gateways|gateway' || true
echo

echo "---- search repo for 'workspace_id' (show file:line and 2 lines context) ----"
rg -n -C2 'workspace_id' || true
echo

echo "---- search repo for INSERT/ON CONFLICT/upsert patterns related to gateways ----"
rg -n -C2 'INSERT INTO gateways|ON CONFLICT.*gateways|UpsertGateway|upsert.*gateway|upsert_gateway|INSERT INTO gateways' || true
echo

echo "---- show gateway-related files under go/pkg/partition/db (first 200 lines) ----"
for f in $(rg -l --hidden -S 'gateway|gateways' go/pkg/partition/db || true); do
echo "---- $f ----"
sed -n '1,200p' "$f"
done

</blockquote></details>
<details>
<summary>go/apps/gw/router/services.go (1)</summary><blockquote>

`25-26`: **LGTM: HTTP proxy switch is a clean toggle**

The `HttpProxy` flag integrates well with the conditional routing added in register.go.

</blockquote></details>
<details>
<summary>go/pkg/partition/db/queries.go (1)</summary><blockquote>

`4-4`: **LGTM: BulkQueries type introduction**

Adding `BulkQueries` and the `BulkQuery` singleton cleanly separates batch operations.

</blockquote></details>
<details>
<summary>go/apps/gw/services/routing/interface.go (1)</summary><blockquote>

`10-13`: **Approve — partition DB aliasing (pdb/partitiondb) verified**

No remaining `cache.Cache[string, db.Vm]` occurrences; VM caches use `pdb.Vm` or `partitiondb.Vm`. Key locations: go/apps/gw/services/routing/interface.go (VMCache `cache.Cache[string, pdb.Vm]`), go/apps/gw/services/routing/service.go (vmCache `cache.Cache[string, pdb.Vm]` and uses `pdb.Query.FindVMById` → `pdb.Vm`), go/apps/gw/services/caches/caches.go (VM `cache.Cache[string, partitiondb.Vm]`).

</blockquote></details>
<details>
<summary>go/apps/gw/run.go (2)</summary><blockquote>

`268-280`: **HttpProxy toggled by TLS: verify router behavior and exposure**

Enabling `HttpProxy` whenever TLS is disabled is reasonable, but please confirm:
- The HTTP (ACME) server does not accidentally proxy app traffic when TLS is enabled elsewhere.
- Router only opens proxy paths when `HttpProxy` is true and on the intended server.

If needed, I can review `router.Register`/`router.Services` to ensure the flag gates the right routes.

---

`133-141`: **Partition DB via db.New — MySQL driver present and DSNs point to partition schema**

- Driver registration: go/pkg/db/database.go blank-imports _ "github.com/go-sql-driver/mysql".
- Partition package also blank-imports the driver: go/pkg/partition/db/database.go.
- DSNs confirmed: go/apps/gw/config.go documents DatabasePrimary/DatabaseReadonlyReplica as the partition (partition_001) and go/apps/gw/run.go uses cfg.DatabasePrimary to create partitionedDB.

</blockquote></details>
<details>
<summary>go/pkg/partition/db/database.go (2)</summary><blockquote>

`9-11`: **Alias-only surface is clean and sufficient**

Exposing only `type DBTX = maindb.DBTX` keeps generated code working while removing redundant wrappers. Nice simplification.

---

`3-7`: **Confirm driver import before removing blank import**  
No matches found for "github.com/go-sql-driver/mysql"; confirm which package registers the driver. If another package (e.g. go/pkg/db or main) imports it, remove the blank import from go/pkg/partition/db/database.go (lines 3–7); otherwise keep or centralize the import where DB connections are opened.

</blockquote></details>
<details>
<summary>go/apps/gw/services/routing/service.go (1)</summary><blockquote>

`61-63`: **Add fallback to binary protobuf when protojson.Unmarshal fails**

protojson.Unmarshal expects JSON bytes — fall back to proto.Unmarshal to support legacy binary-encoded DB rows.

File: go/apps/gw/services/routing/service.go Lines: 61-63

```diff
-		if err := protojson.Unmarshal(gatewayRow.Config, &gatewayConfig); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal gateway config: %w", err)
-		}
+		if err := protojson.Unmarshal(gatewayRow.Config, &gatewayConfig); err != nil {
+			// Fallback for legacy binary-encoded rows
+			if uerr := proto.Unmarshal(gatewayRow.Config, &gatewayConfig); uerr != nil {
+				return nil, fmt.Errorf("failed to unmarshal gateway config (json, binary): %v, %v", err, uerr)
+			}
+		}

Add import:

"google.golang.org/protobuf/proto"

go/pkg/partition/db/bulk_vm_upsert.sql_generated.go (1)

12-17: MySQL VALUES() deprecation check

VALUES(col) in ON DUPLICATE KEY is deprecated in newer MySQL 8.0 series. If targeting 8.0.20+, consider the alias pattern (INSERT ... AS new ... UPDATE col=new.col) in the generator config.

go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (1)

11-13: Confirm DB version compatibility with VALUES()

Same deprecation concern as VMs upsert.

go/pkg/partition/db/gateway_upsert.sql_generated.go (3)

13-15: LGTM on column order and placeholders

---

18-21: Verify unique key matches upsert semantics

Ensure the gateways table has a UNIQUE key that matches the intended deduplication (hostname globally unique vs. composite (workspace_id, hostname)). Otherwise upserts may cross-tenant.

---

25-29: LGTM on exec param order

Arg order aligns with SQL.

go/apps/ctrl/services/deployment/fallbacks/interface.go (1)

14-18: Return shape mismatch vs. MetalD types

CreateDeployment returns []string here, while the MetalD path uses metaldv1.CreateDeploymentResponse. Ensure the adapter layer consistently maps image/VM IDs and status fields between paths.

go/pkg/partition/db/bulk_certificate_insert.sql_generated.go (1)

44-47: Single updated_at for all rows — confirm intended

You bind args[0].UpdatedAt once for all duplicates. Confirm that updated_at should be identical across the batch.

go/apps/ctrl/services/deployment/deploy_workflow.go (1)

173-178: Fix compile-time bug: for i := range 300 is invalid Go

This won’t build. Use a classic counted loop.

Apply:

-		for i := range 300 {
-			time.Sleep(time.Second)
+		for i := 0; i < 300; i++ {
+			time.Sleep(time.Second)
 			if i%10 == 0 { // Log every 10 seconds instead of every second
 				w.logger.Info("polling deployment status", "deployment_id", req.DeploymentID, "iteration", i)
 			}

⛔ Skipped due to learnings

Learnt from: Flo4604
PR: unkeyed/unkey#3800
File: go/apps/api/integration/multi_node_usagelimiting/run.go:107-126
Timestamp: 2025-08-19T08:57:31.793Z
Learning: Go 1.22+ supports "range over integers" syntax: `for range N` iterates N times, and `for i := range N` iterates with i from 0 to N-1. This is valid Go syntax and should not be flagged as a compilation error.

go/apps/ctrl/services/deployment/backend.go (1)

14-18: Interface looks good

The abstraction cleanly decouples the workflow from the backend selection.

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

Actionable comments posted: 23

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

go/cmd/deploy/build_docker.go (3)

186-219: Avoid Scanner token-too-long and surface scan errors (verbose mode).

Docker lines can exceed 64KiB; default bufio.Scanner limit truncates and sets an error that’s currently ignored.

   // Stream stdout
   go func() {
-    scanner := bufio.NewScanner(stdout)
+    scanner := bufio.NewScanner(stdout)
+    buf := make([]byte, 0, 256*1024)
+    scanner.Buffer(buf, 2*1024*1024)
     for scanner.Scan() {
       ui.PrintBuildProgress(scanner.Text())
     }
+    if err := scanner.Err(); err != nil {
+      ui.PrintBuildError(fmt.Sprintf("stdout scan error: %v", err))
+    }
   }()
 
   // Stream stderr
   go func() {
-    scanner := bufio.NewScanner(stderr)
+    scanner := bufio.NewScanner(stderr)
+    buf := make([]byte, 0, 256*1024)
+    scanner.Buffer(buf, 2*1024*1024)
     for scanner.Scan() {
       ui.PrintBuildError(scanner.Text())
     }
+    if err := scanner.Err(); err != nil {
+      ui.PrintBuildError(fmt.Sprintf("stderr scan error: %v", err))
+    }
   }()

---

241-334: Bound memory during capture and fix Scanner limits (spinner mode).

allOutput grows unbounded; store only a rolling window. Also lift Scanner buffer and report errors.

   // Track all output for error reporting
   var outputMu sync.Mutex
-  allOutput := []string{}
+  allOutput := []string{}
+  const maxStoredLines = 1000
 
   // Start progress spinner
   ui.StartStepSpinner(ProgressBuilding)
 
   // Stream stdout and track progress
   go func() {
-    scanner := bufio.NewScanner(stdout)
+    scanner := bufio.NewScanner(stdout)
+    buf := make([]byte, 0, 256*1024)
+    scanner.Buffer(buf, 2*1024*1024)
     for scanner.Scan() {
       line := scanner.Text()
 
       outputMu.Lock()
       allOutput = append(allOutput, line)
+      if len(allOutput) > maxStoredLines {
+        allOutput = allOutput[len(allOutput)-maxStoredLines:]
+      }
       outputMu.Unlock()
 
       // Update spinner with current step
       if step := extractDockerStep(line); step != "" {
         ui.UpdateStepSpinner(fmt.Sprintf("%s %s", ProgressBuilding, step))
       }
     }
+    if err := scanner.Err(); err != nil {
+      ui.PrintBuildError(fmt.Sprintf("stdout scan error: %v", err))
+    }
   }()
 
   // Stream stderr
   go func() {
-    scanner := bufio.NewScanner(stderr)
+    scanner := bufio.NewScanner(stderr)
+    buf := make([]byte, 0, 256*1024)
+    scanner.Buffer(buf, 2*1024*1024)
     for scanner.Scan() {
       line := scanner.Text()
 
       outputMu.Lock()
       allOutput = append(allOutput, line)
+      if len(allOutput) > maxStoredLines {
+        allOutput = allOutput[len(allOutput)-maxStoredLines:]
+      }
       outputMu.Unlock()
     }
+    if err := scanner.Err(); err != nil {
+      ui.PrintBuildError(fmt.Sprintf("stderr scan error: %v", err))
+    }
   }()
 
   ...
-      // Show last few lines of output for debugging
+      // Show last few lines of output for debugging
       if len(outputCopy) > 0 {

---

431-444: Make push error classification case-insensitive.

Some registries capitalize messages (“Denied”, “Unauthorized”); lowercasing avoids misses.

 func classifyPushError(output, registry string) string {
-  output = strings.TrimSpace(output)
+  output = strings.TrimSpace(output)
+  lower := strings.ToLower(output)
   registryHost := getRegistryHost(registry)
 
   switch {
-  case strings.Contains(output, "denied"):
+  case strings.Contains(lower, "denied"):
     return fmt.Sprintf("registry access denied. try: docker login %s", registryHost)
-  case strings.Contains(output, "not found") || strings.Contains(output, "404"):
+  case strings.Contains(lower, "not found") || strings.Contains(lower, "404"):
     return "registry not found. create repository or use --registry=your-registry/your-app"
-  case strings.Contains(output, "unauthorized"):
+  case strings.Contains(lower, "unauthorized"):
     return fmt.Sprintf("authentication required. run: docker login %s", registryHost)
   default:
     return output
   }
 }

go/go.mod (1)

3-3: Invalid go directive (patch version not allowed)

The go directive must be major.minor and must reference a released version. Use 1.23 (or your actual supported toolchain), not 1.24.4.

-go 1.24.4
+go 1.23

go/cmd/ctrl/main.go (1)

57-58: Do not hard-require metald-address when a local backend is selected

The unconditional Required() blocks docker/k8s-only local testing.

-		cli.String("metald-address", "Full URL of the metald service for VM operations. Required for deployments. Example: https://metald.example.com:8080",
-			cli.Required(), cli.EnvVar("UNKEY_METALD_ADDRESS")),
+		cli.String("metald-address", "Full URL of the metald service for VM operations. Example: https://metald.example.com:8080",
+			cli.EnvVar("UNKEY_METALD_ADDRESS")),

Config.Validate (in go/apps/ctrl/config.go) should enforce “metald-address required when --metald-backend is empty” (see my other comment).

go/apps/ctrl/run.go (1)

174-185: Hardcoded auth headers; read from config/env and avoid info-level spam

Do not ship a baked-in bearer. Make it configurable and only attach when set; log at Debug.

-	metaldClient := metaldv1connect.NewVmServiceClient(
+	token := os.Getenv("UNKEY_METALD_TOKEN")
+	tenant := os.Getenv("UNKEY_TENANT_ID")
+	metaldClient := metaldv1connect.NewVmServiceClient(
 		httpClient,
 		cfg.MetaldAddress,
 		connect.WithInterceptors(connect.UnaryInterceptorFunc(func(next connect.UnaryFunc) connect.UnaryFunc {
 			return func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
-				logger.Info("Adding auth headers to metald request", "procedure", req.Spec().Procedure)
-				req.Header().Set("Authorization", "Bearer dev_user_ctrl")
-				req.Header().Set("X-Tenant-ID", "ctrl-tenant")
+				if token != "" {
+					logger.Debug("Adding auth headers to metald request", "procedure", req.Spec().Procedure)
+					req.Header().Set("Authorization", "Bearer "+token)
+				}
+				if tenant != "" {
+					req.Header().Set("X-Tenant-ID", tenant)
+				}
 				return next(ctx, req)
 			}
 		})),
 	)

Add import:

 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"time"
+	"os"

♻️ Duplicate comments (9)

go/cmd/deploy/build_docker.go (1)

95-126: Guard against negative maxBranchLen (panic on slice with negative end).

If suffixLen ≥ 128, maxBranchLen becomes ≤ 0 and branchRunes[:maxBranchLen] panics. Clamp to at least 1 (this was suggested earlier—regression).

   // Calculate maximum allowed branch length to keep final tag ≤ 128 chars
   const maxTagLength = 128
-  maxBranchLen := maxTagLength - suffixLen
+  maxBranchLen := maxTagLength - suffixLen
+  if maxBranchLen < 1 {
+    maxBranchLen = 1
+  }

go/cmd/gw/main.go (1)

20-21: Avoid breaking env-var change: accept both UNKEY_HTTPS_PORT and UNKEY_HTTP_PORT

Keep the new description/default, but alias the old env var to avoid surprises and ease rollout.

Apply:

-		cli.Int("https-port", "HTTPS port for the GW server to listen on. Default: 6433",
-			cli.Default(6433), cli.EnvVar("UNKEY_HTTPS_PORT")),
+		cli.Int("https-port", "HTTPS port for the GW server to listen on. Default: 6433",
+			cli.Default(6433), cli.EnvVar("UNKEY_HTTPS_PORT"), cli.EnvVar("UNKEY_HTTP_PORT")),

Verify repo/docs still refer to UNKEY_HTTP_PORT:

#!/bin/bash
rg -nP -C2 '\bUNKEY_HTTP_PORT\b|https-port|UNKEY_HTTPS_PORT'

go/apps/gw/router/register.go (1)

109-117: Guard plaintext mode; lower log level to warn

Serving plaintext should be explicitly opted-in. At minimum, don’t log as error; consider a separate allowlist flag/env to enable this in dev only.

-		if svc.HttpProxy {
-			svc.Logger.Error("Plaintext HTTP proxying is ENABLED! This should ONLY be used for testing/development.")
+		if svc.HttpProxy {
+			svc.Logger.Warn("Plaintext HTTP proxying is ENABLED! Intended for testing/development only.")
 			mux.Handle("/", srv.WrapHandler(proxyHandler.Handle, defaultMiddlewares))

Follow-up (separate change): add an explicit AllowHTTPProxy bool in Services and only enable when true.

go/go.mod (1)

186-187: Remove invalid module paths: go.yaml.in/yaml

These are typos; keep only gopkg.in/yaml.{v2,v3}. Run go mod tidy after.

-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	go.yaml.in/yaml/v3 v3.0.4 // indirect

Then:

#!/bin/bash
go mod tidy
rg -n '\bgo\.yaml\.in/yaml' || echo "OK: no invalid modules"

go/apps/ctrl/services/deployment/deploy_workflow.go (3)

199-206: Don’t hardcode VM status to Running.

This was flagged earlier; OK for demo, but it skews observability and routing.

Option: map from instance.State and only set Running when actually running; otherwise omit or set an appropriate non-running enum.

---

39-55: Fail fast when backend init fails.

Return an error from constructor instead of proceeding with a nil backend. Callers can surface misconfig earlier.

-func NewDeployWorkflow(cfg DeployWorkflowConfig) *DeployWorkflow {
+func NewDeployWorkflow(cfg DeployWorkflowConfig) (*DeployWorkflow, error) {
 	// Create the appropriate deployment backend
 	deploymentBackend, err := NewDeploymentBackend(cfg.MetalD, cfg.MetaldBackend, cfg.Logger)
 	if err != nil {
-		// Log error but continue - workflow will fail when trying to use the backend
-		cfg.Logger.Error("failed to initialize deployment backend",
-			"error", err,
-			"fallback", cfg.MetaldBackend)
+		return nil, fmt.Errorf("deploy workflow init failed: %w", err)
 	}
 
-	return &DeployWorkflow{
+	return &DeployWorkflow{
 		db:                cfg.DB,
 		partitionDB:       cfg.PartitionDB,
 		logger:            cfg.Logger,
 		deploymentBackend: deploymentBackend,
-	}
+	}, nil
 }

---

660-667: Include IPv6 loopback in local-hostname detection.

Add ::1.

-	if hostname == "localhost" || hostname == "127.0.0.1" {
+	if hostname == "localhost" || hostname == "127.0.0.1" || hostname == "::1" {
 		return true
 	}

go/pkg/partition/db/queries/gateway_upsert.sql (1)

2-6: Replace VALUES() with an INSERT alias and confirm workspace_id move semantics

Schema shows UNIQUE on hostname only (go/pkg/partition/db/schema.sql — UNIQUE KEY gateways_pk (hostname) and unique_hostname at ~line 70), and generated bulk upsert contains VALUES() (go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go — uses workspace_id = VALUES(workspace_id)). Actionable changes:

• Replace VALUES() usage with an INSERT alias in the upsert SQL and regenerate. Example patch (apply to the source .sql files used to generate the code, then run sqlc):

  -INSERT INTO gateways (workspace_id, hostname, config)
  +INSERT INTO gateways AS new (workspace_id, hostname, config)
   VALUES (?, ?, ?)
  -ON DUPLICATE KEY UPDATE 
  -    config = VALUES(config),
  -    workspace_id = VALUES(workspace_id);
  +ON DUPLICATE KEY UPDATE 

• config = new.config,
• workspace_id = new.workspace_id;

- Confirm workspace_id "move" is intended: current UNIQUE on hostname means an upsert will overwrite workspace_id (move hostname between workspaces). If moves are unintended, add/replace a composite UNIQUE (workspace_id, hostname) in go/pkg/partition/db/schema.sql to prevent it.

Files to update/check:
- Source SQL under go/pkg/partition/db/queries (gateway_upsert.sql and the bulk upsert SQL that generates bulk_gateway_upsert.sql_generated.go).
- Regenerate artifacts (sqlc) and verify generated files (go/pkg/partition/db/*_generated.go) no longer use VALUES().

</blockquote></details>
<details>
<summary>go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (1)</summary><blockquote>

`31-37`: **Pre-size args slice to avoid reallocations**

Minor perf win for large batches.


```diff
-	// Collect all arguments
-	var allArgs []any
+	// Collect all arguments
+	allArgs := make([]any, 0, len(args)*3)
  for _, arg := range args {
  	allArgs = append(allArgs, arg.WorkspaceID)
  	allArgs = append(allArgs, arg.Hostname)
  	allArgs = append(allArgs, arg.Config)
  }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 71806b0 and 7fb8534.

⛔ Files ignored due to path filters (1)

• go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (20)

• go/apps/ctrl/config.go (3 hunks)
• go/apps/ctrl/run.go (1 hunks)
• go/apps/ctrl/services/deployment/backend_adapter.go (1 hunks)
• go/apps/ctrl/services/deployment/backends/docker.go (1 hunks)
• go/apps/ctrl/services/deployment/backends/interface.go (1 hunks)
• go/apps/ctrl/services/deployment/backends/k8s.go (1 hunks)
• go/apps/ctrl/services/deployment/deploy_workflow.go (9 hunks)
• go/apps/gw/router/register.go (1 hunks)
• go/cmd/ctrl/main.go (2 hunks)
• go/cmd/deploy/build_docker.go (2 hunks)
• go/cmd/gw/main.go (1 hunks)
• go/go.mod (7 hunks)
• go/pkg/db/plugins/bulk-insert/README.md (1 hunks)
• go/pkg/db/plugins/bulk-insert/generator.go (2 hunks)
• go/pkg/db/querier_bulk_generated.go (1 hunks)
• go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (1 hunks)
• go/pkg/partition/db/gateway_upsert.sql_generated.go (1 hunks)
• go/pkg/partition/db/querier_bulk_generated.go (1 hunks)
• go/pkg/partition/db/querier_generated.go (1 hunks)
• go/pkg/partition/db/queries/gateway_upsert.sql (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-11T08:17:21.409Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/deployment/fallbacks/k8s.go:236-247
Timestamp: 2025-09-11T08:17:21.409Z
Learning: The K8s fallback backend in go/apps/ctrl/services/deployment/fallbacks/k8s.go is specifically designed for scenarios where the ctrl service runs inside a Kubernetes cluster. It should not be used when ctrl runs outside the cluster - in those cases, the Docker fallback should be used instead.

Applied to files:

• go/apps/ctrl/services/deployment/backend_adapter.go
• go/apps/ctrl/config.go
• go/apps/ctrl/services/deployment/backends/interface.go
• go/apps/ctrl/services/deployment/backends/k8s.go
• go/apps/ctrl/services/deployment/backends/docker.go

📚 Learning: 2025-07-17T14:24:20.403Z

Learnt from: Flo4604
PR: unkeyed/unkey#3631
File: go/pkg/db/bulk_keyring_insert.sql.go:23-25
Timestamp: 2025-07-17T14:24:20.403Z
Learning: In go/pkg/db/bulk_keyring_insert.sql.go and similar bulk insert generated files, hardcoded zero values for fields like size_approx and size_last_updated_at are intentional and reflect the original SQL query structure, not missing parameters.

Applied to files:

• go/pkg/partition/db/querier_bulk_generated.go
• go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go
• go/pkg/db/plugins/bulk-insert/generator.go

🧬 Code graph analysis (13)

go/apps/ctrl/services/deployment/backend_adapter.go (2)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backends/interface.go (2)

• DeploymentBackend (19-31)
• NewBackend (52-69)

go/pkg/partition/db/querier_bulk_generated.go (6)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/certificate_insert.sql_generated.go (1)

• InsertCertificateParams (23-30)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/db/querier_bulk_generated.go (1)

• BulkQuerier (8-32)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/apps/ctrl/config.go (1)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• ValidateBackendType (35-49)

go/apps/ctrl/services/deployment/backends/interface.go (4)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend_adapter.go (1)

• DeploymentBackend (16-20)

go/apps/ctrl/services/deployment/backends/k8s.go (1)

• NewK8sBackend (46-71)

go/apps/ctrl/services/deployment/backends/docker.go (1)

• NewDockerBackend (39-61)

go/pkg/partition/db/bulk_gateway_upsert.sql_generated.go (3)

go/pkg/partition/db/queries.go (1)

• BulkQueries (4-4)

go/pkg/partition/db/database.go (1)

• DBTX (10-10)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

go/apps/gw/router/register.go (1)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/cmd/gw/main.go (1)

go/pkg/cli/flag.go (1)

• Int (450-487)

go/apps/ctrl/run.go (1)

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

• NewDeployWorkflow (39-55)
• DeployWorkflowConfig (30-36)

go/apps/ctrl/services/deployment/backends/k8s.go (3)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/pkg/ptr/pointer.go (1)

• P (49-51)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• BackendTypeK8s (14-14)

go/apps/ctrl/services/deployment/backends/docker.go (2)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• BackendTypeDocker (15-15)

go/cmd/ctrl/main.go (1)

go/pkg/cli/flag.go (3)

• String (376-408)
• EnvVar (287-304)
• Bool (411-447)

go/cmd/deploy/build_docker.go (2)

go/cmd/deploy/main.go (1)

• DeployOptions (83-98)

go/pkg/git/git.go (1)

• Info (9-15)

go/apps/ctrl/services/deployment/deploy_workflow.go (13)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend_adapter.go (2)

• DeploymentBackend (16-20)
• NewDeploymentBackend (120-132)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• DeploymentBackend (19-31)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/gen/proto/metald/v1/deployment.pb.go (12)

• CreateDeploymentResponse (144-149)
• CreateDeploymentResponse (162-162)
• CreateDeploymentResponse (177-179)
• CreateDeploymentRequest (100-105)
• CreateDeploymentRequest (118-118)
• CreateDeploymentRequest (133-135)
• DeploymentRequest (24-33)
• DeploymentRequest (46-46)
• DeploymentRequest (61-63)
• GetDeploymentResponse_Vm (452-460)
• GetDeploymentResponse_Vm (473-473)
• GetDeploymentResponse_Vm (488-490)

go/pkg/db/models_generated.go (5)

• Deployment (527-545)
• Domain (556-565)
• DomainsTypeCustom (242-242)
• DeploymentStepsStatusAssigningDomains (153-153)
• DeploymentsStatusReady (200-200)

go/gen/proto/partition/v1/gateway.pb.go (12)

• Deployment (104-110)
• Deployment (123-123)
• Deployment (138-140)
• GatewayConfig (26-37)
• GatewayConfig (50-50)
• GatewayConfig (65-67)
• VM (208-213)
• VM (226-226)
• VM (241-243)
• AuthConfig (253-258)
• AuthConfig (271-271)
• AuthConfig (286-288)

go/pkg/git/git.go (2)

• Info (9-15)
• GetInfo (19-51)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/gen/proto/metal/vmprovisioner/v1/vmprovisioner.pb.go (1)

• VmState_VM_STATE_RUNNING (30-30)

go/gen/proto/metald/v1/vm.pb.go (1)

• VmState_VM_STATE_RUNNING (31-31)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test

🔇 Additional comments (12)

go/cmd/deploy/build_docker.go (2)

42-55: Good: precompiled regexes remove hot-path allocations.

This is the right approach; patterns look correct for the normalized (lowercased) set.

---

57-91: Sanitizer looks correct and consistent with Docker’s tag grammar.

Lowercasing-by-policy, first-char fixup, multi-dash collapse, and final validation all SGTM.

go/cmd/ctrl/main.go (2)

132-134: LGTM wiring

Flag is plumbed into Config correctly.

---

75-75: Accept legacy UNKEY_METALD_FALLBACK in CLI and update config/docs

• rg found no occurrences of UNKEY_METALD_FALLBACK; only UNKEY_METALD_BACKEND is used (e.g. go/deploy/metald/internal/config/config.go:271, go/cmd/ctrl/main.go:75 and multiple deploy docs).
• Apply this CLI change (adds legacy env var support):

-		cli.String("metald-backend", "Whether to call metalD or go to a fallback (docker or k8s)", cli.EnvVar("UNKEY_METALD_BACKEND")),
+		cli.String("metald-backend", "Deployment backend: \"docker\" or \"k8s\". Empty = use metald", cli.EnvVar("UNKEY_METALD_BACKEND"), cli.EnvVar("UNKEY_METALD_FALLBACK")),

• Also update go/deploy/metald/internal/config/config.go to prefer UNKEY_METALD_BACKEND but fall back to UNKEY_METALD_FALLBACK if present, and update docs/deployment files (DOCKER_DEVELOPMENT_PLAN.md, README.dev.md, Dockerfile.dev, systemd units, docker-compose.yaml) to mention both and note deprecation of the legacy var.

go/apps/ctrl/services/deployment/backends/interface.go (1)

33-69: Backend type validation and factory look solid

Case-insensitive handling, clear errors, and explicit constants are good.

go/apps/ctrl/services/deployment/backend_adapter.go (1)

119-132: Nice: clear selection between local and metald backends

Logging the chosen backend is helpful for ops.

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

360-371: Good: standardized gateway config encoding to JSON.

protojson for both writes and reads aligns with gw routing; thanks for documenting the policy inline.

---

175-186: Fix: invalid loop over integer (won’t compile).

Replace range over 300 with indexed loop.

-		for i := range 300 {
+		for i := 0; i < 300; i++ {
 			time.Sleep(time.Second)

⛔ Skipped due to learnings

Learnt from: Flo4604
PR: unkeyed/unkey#3800
File: go/apps/api/integration/multi_node_usagelimiting/run.go:107-126
Timestamp: 2025-08-19T08:57:31.793Z
Learning: Go 1.22+ supports "range over integers" syntax: `for range N` iterates N times, and `for i := range N` iterates with i from 0 to N-1. This is valid Go syntax and should not be flagged as a compilation error.

go/pkg/db/plugins/bulk-insert/generator.go (1)

201-203: LGTM: assertion comment now matches the asserted type

Comment aligns with var _ BulkQuerier = (*BulkQueries)(nil).

go/pkg/db/querier_bulk_generated.go (1)

34-35: LGTM: comment fix only

Matches BulkQueries type.

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

21-23: WorkspaceID Go type is correct — matches DB VARCHAR(255).

The SQL schema defines workspace_id as VARCHAR(255) (gateways and certificates) and the generated Go fields are string — no change required.

go/pkg/partition/db/querier_bulk_generated.go (1)

1-16: LGTM: interface surface and assertion look correct

Matches implemented bulk methods and DBTX alias.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (11)

go/cmd/deploy/build_docker.go (2)

42-56: Good: precompiled, package-scope regexes.
Addresses earlier perf and correctness feedback.

---

95-126: Guard against negative max length; avoid double separators; ensure non-empty base.
If suffixLen >= 128, slicing with a negative index panics; also prevent “base--suffix”.

Apply to generateImageTag:

-  maxBranchLen := maxTagLength - suffixLen
+  maxBranchLen := maxTagLength - suffixLen
+  if maxBranchLen < 1 {
+    maxBranchLen = 1
+  }
@@
-  if len(branchRunes) > maxBranchLen {
-    branchRunes = branchRunes[:maxBranchLen]
-    cleanBranch = string(branchRunes)
-    // Ensure it doesn't end with a dash after trimming
-    cleanBranch = strings.TrimRight(cleanBranch, "-")
-  }
+  if len(branchRunes) > maxBranchLen {
+    branchRunes = branchRunes[:maxBranchLen]
+    cleanBranch = string(branchRunes)
+  }
+  // Avoid trailing separators that can lead to double dashes on join
+  cleanBranch = strings.TrimRight(cleanBranch, "-.")
+  if cleanBranch == "" {
+    cleanBranch = "v"
+  }

go/apps/ctrl/services/deployment/deploy_workflow.go (5)

41-58: Constructor silently swallows backend initialization errors

The current implementation logs backend initialization failures but continues to create a workflow with a potentially nil backend, which will fail at runtime during deployment execution.

---

287-289: Sanitize auto-generated hostname for DNS compliance

Branch names and identifiers can contain invalid DNS characters or exceed length limits. The current basic replacement is insufficient.

---

304-338: Fix sql.NullString validity for empty strings

Empty ProjectID and DeploymentID should be stored as NULL rather than empty strings marked as valid.

-				ProjectID:    sql.NullString{Valid: true, String: req.ProjectID},
+				ProjectID:    sql.NullString{Valid: req.ProjectID != "", String: req.ProjectID},
-				DeploymentID: sql.NullString{Valid: true, String: req.DeploymentID},
+				DeploymentID: sql.NullString{Valid: req.DeploymentID != "", String: req.DeploymentID},

---

506-508: Critical: Inconsistent protobuf encoding

The code uses protojson.Unmarshal here but the create path uses protojson.Marshal while update uses proto.Marshal. This encoding inconsistency will cause failures when reading configs created via different paths.

---

125-157: LGTM on backend abstraction but fix log casing

The backend abstraction is well implemented with proper nil checks. Minor improvement needed on log message casing consistency.

-		w.logger.Error("CreateDeployment failed", "error", err, "docker_image", req.DockerImage)
+		w.logger.Error("create deployment failed", "error", err, "docker_image", req.DockerImage)

go/apps/ctrl/config.go (3)

74-77: Fail fast: require metald-address when no fallback; validate default-domain

Right now Validate() only type-checks the backend; make config self-consistent so fallback flows don’t need a metald address, and metald is required when no fallback is set.

 func (c Config) Validate() error {
 	// Validate MetaldBackend field
 	if err := backends.ValidateBackendType(c.MetaldBackend); err != nil {
 		return fmt.Errorf("invalid metald backend configuration: %w", err)
 	}
+
+	// If no fallback is configured, metald-address is required
+	if strings.TrimSpace(c.MetaldBackend) == "" && strings.TrimSpace(c.MetaldAddress) == "" {
+		return fmt.Errorf("metald-address is required when --metald-backend is empty")
+	}
+
+	// Optional: basic sanity for DefaultDomain
+	if strings.TrimSpace(c.DefaultDomain) == "" {
+		return fmt.Errorf("default-domain must not be empty or whitespace")
+	}
 
 	return nil
 }

This pairs with dropping Required() on the metald-address flag in cmd (see separate comment).

---

56-57: Clarify allowed values and intent for MetaldBackend

Make the comment explicit and user-facing; also reference empty-string behavior.

-	MetaldBackend string // fallback to either k8's pod or docker, this skips calling metald
+	MetaldBackend string // fallback runtime: "docker" or "k8s"; empty = use metald (no fallback)

Note: per your learnings, document that "k8s" is intended only when ctrl runs in-cluster; otherwise use "docker".

(Used your retrieved learnings about the K8s fallback’s intended environment.)

---

4-6: Add missing import for validation helpers

The proposed validation uses strings.TrimSpace; add the import.

 import (
 	"fmt"
 
 	"github.com/unkeyed/unkey/go/apps/ctrl/services/deployment/backends"
+	"strings"
 	"github.com/unkeyed/unkey/go/pkg/clock"
 	"github.com/unkeyed/unkey/go/pkg/tls"
 )

go/apps/ctrl/run.go (1)

189-196: Propagate backend init errors from NewDeployWorkflow (avoid nil backend)

Constructor currently logs and returns a workflow with a possibly-nil backend; fail fast instead.

-	deployWorkflow := deployment.NewDeployWorkflow(deployment.DeployWorkflowConfig{
+	deployWorkflow, err := deployment.NewDeployWorkflow(deployment.DeployWorkflowConfig{
 		Logger:        logger,
 		DB:            database,
 		PartitionDB:   partitionDB,
 		MetaldBackend: cfg.MetaldBackend,
 		MetalD:        metaldClient,
 		DefaultDomain: cfg.DefaultDomain,
 	})
+	if err != nil {
+		return fmt.Errorf("unable to init deployment workflow: %w", err)
+	}

And update go/apps/ctrl/services/deployment/deploy_workflow.go accordingly:

// signature change
func NewDeployWorkflow(cfg DeployWorkflowConfig) (*DeployWorkflow, error) {
    deploymentBackend, err := NewDeploymentBackend(cfg.MetalD, cfg.MetaldBackend, cfg.Logger)
    if err != nil {
        return nil, err
    }
    return &DeployWorkflow{
        db:                cfg.DB,
        partitionDB:       cfg.PartitionDB,
        logger:            cfg.Logger,
        deploymentBackend: deploymentBackend,
        defaultDomain:     cfg.DefaultDomain,
    }, nil
}

#!/bin/bash
# Confirm no remaining call sites assume the old NewDeployWorkflow signature
rg -nP -C2 'NewDeployWorkflow\s*\('

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7fb8534 and 085bb59.

📒 Files selected for processing (6)

• go/apps/ctrl/config.go (3 hunks)
• go/apps/ctrl/run.go (1 hunks)
• go/apps/ctrl/services/deployment/deploy_workflow.go (10 hunks)
• go/cmd/ctrl/main.go (2 hunks)
• go/cmd/deploy/build_docker.go (3 hunks)
• go/cmd/deploy/main.go (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-11T08:17:21.409Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/deployment/fallbacks/k8s.go:236-247
Timestamp: 2025-09-11T08:17:21.409Z
Learning: The K8s fallback backend in go/apps/ctrl/services/deployment/fallbacks/k8s.go is specifically designed for scenarios where the ctrl service runs inside a Kubernetes cluster. It should not be used when ctrl runs outside the cluster - in those cases, the Docker fallback should be used instead.

Applied to files:

• go/apps/ctrl/config.go

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• go/apps/ctrl/services/deployment/deploy_workflow.go

🧬 Code graph analysis (6)

go/apps/ctrl/run.go (1)

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

• NewDeployWorkflow (41-58)
• DeployWorkflowConfig (31-38)

go/apps/ctrl/config.go (2)

go/apps/gw/services/certmanager/interface.go (1)

• Config (18-35)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• ValidateBackendType (35-49)

go/cmd/deploy/main.go (1)

go/pkg/cli/flag.go (1)

• Bool (411-447)

go/cmd/ctrl/main.go (1)

go/pkg/cli/flag.go (4)

• String (376-408)
• EnvVar (287-304)
• Default (327-373)
• Bool (411-447)

go/cmd/deploy/build_docker.go (2)

go/cmd/deploy/main.go (1)

• DeployOptions (83-99)

go/pkg/git/git.go (1)

• Info (9-15)

go/apps/ctrl/services/deployment/deploy_workflow.go (9)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• DeploymentBackend (19-31)

go/apps/ctrl/services/deployment/backend_adapter.go (2)

• DeploymentBackend (16-20)
• NewDeploymentBackend (120-132)

go/gen/proto/metald/v1/metaldv1connect/metald.connect.go (1)

• VmServiceClient (68-95)

go/pkg/db/models_generated.go (5)

• Domain (556-565)
• Deployment (527-545)
• DomainsTypeCustom (242-242)
• DeploymentStepsStatusAssigningDomains (153-153)
• DeploymentsStatusReady (200-200)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/pkg/git/git.go (2)

• Info (9-15)
• GetInfo (19-51)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Test Packages / Test
• GitHub Check: Build / Build
• GitHub Check: goreleaser
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (16)

go/cmd/deploy/build_docker.go (1)

11-11: Import for regexp is appropriate.
Required for precompiled tag regexes.

go/cmd/deploy/main.go (2)

98-98: Wiring new Linux option into DeployOptions looks good.

---

209-209: Correctly plumbs flag into options.

go/apps/ctrl/services/deployment/deploy_workflow.go (11)

19-19: LGTM!

Good addition of protojson import for gateway config marshaling.

---

23-29: LGTM!

The struct refactor properly encapsulates the deployment backend abstraction and removes direct metald client dependency.

---

31-38: LGTM!

The config struct follows good dependency injection patterns and clearly separates concerns.

---

73-73: LGTM!

Good addition of the Domain field to the DeployRequest struct for flexibility.

---

179-256: LGTM on improved polling and VM management

The enhanced polling logic with better logging intervals, VM database persistence, and state management is well implemented.

---

262-302: LGTM on domain generation logic

The bulk domain generation approach using git information for auto-generated hostnames is well structured.

---

340-396: LGTM on bulk gateway config creation

The bulk approach for gateway config creation with local hostname filtering is efficient and well-implemented.

---

365-369: Good switch to protojson for gateway configs

The use of protojson.Marshal for gateway configs is appropriate for debugging and readability during development.

---

398-421: LGTM on deployment completion

The deployment status update to "ready" is correctly implemented with proper error handling and logging.

---

595-626: LGTM on gateway config creation helpers

The helper methods with clear encoding policy documentation are well-structured and maintainable.

---

664-688: Improved local hostname detection

The refactored local hostname detection with exact matching and proper suffix checking is much better than the previous contains-based approach.

go/cmd/ctrl/main.go (2)

133-136: Wiring looks correct

Flags map cleanly to Config. Validation guards behavior.

---

75-76: Don't rename the env var — repo uses UNKEY_METALD_BACKEND; update docs and tighten flag help

• The codebase (deploy files, systemd units, metald config, Dockerfiles, and ctrl app) consistently uses UNKEY_METALD_BACKEND — do not change the code to UNKEY_METALD_FALLBACK; update the PR/docs to use UNKEY_METALD_BACKEND or change all code references if renaming is desired.
• Tighten the metald-backend flag help (go/cmd/ctrl/main.go): list allowed values (firecracker, docker, k8s) and state empty-string semantics (empty = use metald / default = firecracker).
• I did not find a Required() on the metald-address flag; no Required() removal appears necessary. If the intent is explicit fallback-only operation, ensure metald-address is optional.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go/apps/ctrl/services/deployment/deploy_workflow.go (1)

65-74: Remove or wire DeployRequest.Domain

DeployRequest.Domain is defined but never read: CreateDeployment builds deployReq without Domain (go/apps/ctrl/services/deployment/create_deployment.go around line 130) and DeployWorkflow.Run never references req.Domain (domains are derived from req.Hostname and w.defaultDomain in go/apps/ctrl/services/deployment/deploy_workflow.go). Remove the field to avoid API confusion, or populate deployReq.Domain (and update the CreateDeploymentRequest RPC/handler) and use it in the "generate-all-domains" step.

♻️ Duplicate comments (3)

go/apps/ctrl/services/deployment/deploy_workflow.go (3)

202-216: Do not upsert VMs as RUNNING before they are running; fix Address nullability

Only persist when RUNNING (or map states), and set Address.Valid when host/port exist.

-					upsertParams := partitiondb.UpsertVMParams{
-						ID:            instance.Id,
-						DeploymentID:  req.DeploymentID,
-						Address:       sql.NullString{Valid: true, String: fmt.Sprintf("%s:%d", instance.Host, instance.Port)},
-						CpuMillicores: 1000,                         // TODO derive from spec
-						MemoryMb:      1024,                         // TODO derive from spec
-						Status:        partitiondb.VmsStatusRunning, // TODO
-					}
+					addr := sql.NullString{Valid: instance.Host != "" && instance.Port != 0, String: fmt.Sprintf("%s:%d", instance.Host, instance.Port)}
+					if instance.State == metaldv1.VmState_VM_STATE_RUNNING {
+						upsertParams := partitiondb.UpsertVMParams{
+							ID:            instance.Id,
+							DeploymentID:  req.DeploymentID,
+							Address:       addr,
+							CpuMillicores: 1000, // TODO derive from spec
+							MemoryMb:      1024, // TODO derive from spec
+							Status:        partitiondb.VmsStatusRunning,
+						}
 
-					w.logger.Info("upserting VM to database",
+						w.logger.Info("upserting VM to database",
 						"vm_id", instance.Id,
 						"deployment_id", req.DeploymentID,
-						"address", fmt.Sprintf("%s:%d", instance.Host, instance.Port),
-						"status", "running")
+						"address", addr.String,
+						"status", "running")
 
-					if err := partitiondb.Query.UpsertVM(stepCtx, w.partitionDB.RW(), upsertParams); err != nil {
-						w.logger.Error("failed to upsert VM", "error", err, "vm_id", instance.Id, "params", upsertParams)
-						return nil, fmt.Errorf("failed to upsert VM %s: %w", instance.Id, err)
-					}
+						if err := partitiondb.Query.UpsertVM(stepCtx, w.partitionDB.RW(), upsertParams); err != nil {
+							w.logger.Error("failed to upsert VM", "error", err, "vm_id", instance.Id, "params", upsertParams)
+							return nil, fmt.Errorf("failed to upsert VM %s: %w", instance.Id, err)
+						}
+						w.logger.Info("successfully upserted VM to database", "vm_id", instance.Id)
+					}
 
-					w.logger.Info("successfully upserted VM to database", "vm_id", instance.Id)

If you need non-running states reflected in DB, map instance.State to your VmsStatus enums instead.

Also applies to: 217-223, 227-231

---

312-323: Null handling: don’t mark empty strings as valid sql.NullString

Store NULL when ProjectID/DeploymentID are empty.

-				ProjectID:    sql.NullString{Valid: true, String: req.ProjectID},
+				ProjectID:    sql.NullString{Valid: req.ProjectID != "", String: req.ProjectID},
 				Domain:       domain,
-				DeploymentID: sql.NullString{Valid: true, String: req.DeploymentID},
+				DeploymentID: sql.NullString{Valid: req.DeploymentID != "", String: req.DeploymentID},

Also consider marking generated hostnames with a distinct Type if the schema supports it; otherwise leave as Custom.

---

665-673: Include IPv6 loopback in local-hostname check

Add ::1 for completeness.

-	if hostname == "localhost" || hostname == "127.0.0.1" {
+	if hostname == "localhost" || hostname == "127.0.0.1" || hostname == "::1" {
 		return true
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 085bb59 and aebc152.

📒 Files selected for processing (1)

• go/apps/ctrl/services/deployment/deploy_workflow.go (10 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• go/apps/ctrl/services/deployment/deploy_workflow.go

🧬 Code graph analysis (1)

go/apps/ctrl/services/deployment/deploy_workflow.go (10)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backend_adapter.go (2)

• DeploymentBackend (16-20)
• NewDeploymentBackend (120-132)

go/pkg/db/models_generated.go (2)

• Domain (556-565)
• Deployment (527-545)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/gen/proto/metald/v1/deployment.pb.go (12)

• CreateDeploymentResponse (144-149)
• CreateDeploymentResponse (162-162)
• CreateDeploymentResponse (177-179)
• CreateDeploymentRequest (100-105)
• CreateDeploymentRequest (118-118)
• CreateDeploymentRequest (133-135)
• DeploymentRequest (24-33)
• DeploymentRequest (46-46)
• DeploymentRequest (61-63)
• GetDeploymentResponse_Vm (452-460)
• GetDeploymentResponse_Vm (473-473)
• GetDeploymentResponse_Vm (488-490)

go/gen/proto/partition/v1/gateway.pb.go (12)

• Deployment (104-110)
• Deployment (123-123)
• Deployment (138-140)
• GatewayConfig (26-37)
• GatewayConfig (50-50)
• GatewayConfig (65-67)
• VM (208-213)
• VM (226-226)
• VM (241-243)
• AuthConfig (253-258)
• AuthConfig (271-271)
• AuthConfig (286-288)

go/pkg/git/git.go (2)

• Info (9-15)
• GetInfo (19-51)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build
• GitHub Check: Test Packages / Test

🔇 Additional comments (3)

go/apps/ctrl/services/deployment/deploy_workflow.go (3)

341-377: Gateway configs: continue-on-error is good; add workspace to all bulk params

Looks good overall; the bulk path correctly skips local domains and uses protojson.

Also applies to: 379-385

---

399-417: Good: consistent “ready” status and structured result

Status transitions and logging look consistent.

---

179-188: Make the polling loop cancellable; keep the range-over-int

• The repo's module targets Go >= 1.24 (go.mod), so "for i := range 300" is supported — do not change that for compatibility.
• Required change: in go/apps/ctrl/services/deployment/deploy_workflow.go (~179–188) make the polling loop respect stepCtx (either check stepCtx.Err() each iteration or use a cancellable sleep with select on stepCtx.Done()). Example:
  for i := range 300 {
  select {
  case <-stepCtx.Done(): return nil, stepCtx.Err()
  case <-time.After(time.Second):
  }
  if i%10 == 0 { w.logger.Info(...) }
  ...
  }

Likely an incorrect or invalid review comment.

[chronark]

just nits really, decide for yourself if you want to address or create issues

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (13)

go/apps/gw/run.go (9)

133-141: Rename misleading variable and error message: this is no longer a “partitioned” DB.

Use a neutral name (e.g., routingDB) and fix the error text for clarity.

-	partitionedDB, err := db.New(db.Config{
+	routingDB, err := db.New(db.Config{
 		PrimaryDSN:  cfg.DatabasePrimary,
 		ReadOnlyDSN: cfg.DatabaseReadonlyReplica,
 		Logger:      logger,
 	})
 	if err != nil {
-		return fmt.Errorf("unable to create partitioned db: %w", err)
+		return fmt.Errorf("unable to create routing db: %w", err)
 	}
-	shutdowns.Register(partitionedDB.Close)
+	shutdowns.Register(routingDB.Close)

Note: Update uses at Lines 213 and 226 accordingly.

---

211-218: Follow-through on rename: pass the renamed DB var to routing service.

-		DB:                 partitionedDB,
+		DB:                 routingDB,

---

223-231: Follow-through on rename: pass the renamed DB var to cert manager.

-		DB:                  partitionedDB,
+		DB:                  routingDB,

---

241-243: Add HTTP client timeouts/limits for ACME/ctrl client.

Avoid unbounded hangs and reduce resource leaks.

-	httpClient := &http.Client{}
+	httpClient := &http.Client{
+		Timeout: 15 * time.Second,
+		Transport: &http.Transport{
+			DialContext:           (&net.Dialer{Timeout: 5 * time.Second}).DialContext,
+			TLSHandshakeTimeout:   5 * time.Second,
+			ResponseHeaderTimeout: 10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			IdleConnTimeout:       90 * time.Second,
+			MaxIdleConnsPerHost:   10,
+		},
+	}

---

98-107: Don’t panic in background goroutines (Prometheus server). Log and return.

Panicking in goroutines is uncaught and crashes the process. Prefer logging; consider coordinated shutdown.

 		go func() {
 			promListener, err := net.Listen("tcp", fmt.Sprintf(":%d", cfg.PrometheusPort))
-			if err != nil {
-				panic(err)
-			}
-			promListenErr := prom.Serve(ctx, promListener)
-			if promListenErr != nil {
-				panic(promListenErr)
-			}
+			if err != nil {
+				logger.Error("Prometheus listener failed", "error", err)
+				return
+			}
+			if err := prom.Serve(ctx, promListener); err != nil {
+				logger.Error("Prometheus server exited with error", "error", err)
+			}
 		}()

---

300-307: Avoid panic on HTTP challenge server Serve errors.

Log errors; panics from goroutines are not recovered by the top-level defer.

 			serveErr := challengeSrv.Serve(ctx, challengeListener)
-			if serveErr != nil {
-				panic(serveErr)
-			}
+			if serveErr != nil {
+				logger.Error("HTTP server (ACME) exited with error", "error", serveErr)
+			}

---

315-321: Avoid panic on HTTPS gateway server Serve errors.

Same rationale as above.

 			serveErr := gwSrv.Serve(ctx, gwListener)
-			if serveErr != nil {
-				panic(serveErr)
-			}
+			if serveErr != nil {
+				logger.Error("HTTPS gateway server exited with error", "error", serveErr)
+			}

---

155-164: Register ClickHouse Close (if applicable).

If the concrete ClickHouse implementation exposes Close(), register it with shutdowns to avoid leaks.

Example:

type closer interface{ Close() error }
if c, ok := ch.(closer); ok {
	shutdowns.Register(c.Close)
}

Please confirm the client implements Close(). If not, ignore.

---

174-182: Redis vs in-memory counter: align code and comment; handle empty URL.

Comment says “Use in-memory counter,” but code always constructs Redis. If RedisURL can be empty in dev, fall back to local.

Proposed pattern:

var ctr counter.Counter
if cfg.RedisURL == "" {
	ctr, err = counter.NewLocal(counter.LocalConfig{Logger: logger}) // or equivalent constructor
} else {
	ctr, err = counter.NewRedis(counter.RedisConfig{Logger: logger, RedisURL: cfg.RedisURL})
}

If there is no local constructor, we can add one or feature-flag this path.

go/apps/gw/services/caches/caches.go (1)

72-74: Doc example references a non-existent field.

Update KeyByHash → VerificationKeyByHash.

-//  key, err := caches.KeyByHash.Get(ctx, "some-hash")
+//  key, err := caches.VerificationKeyByHash.Get(ctx, "some-hash")

go/apps/ctrl/services/acme/providers/http_provider.go (1)

41-54: Validate inputs for Present

Reject empty token/keyAuth early to avoid storing unusable challenges.

 func (p *HTTPProvider) Present(domain, token, keyAuth string) error {
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	if token == "" || keyAuth == "" {
+		return fmt.Errorf("empty token/keyAuth for domain %s", domain)
+	}

go/apps/ctrl/services/acme/certificate_workflow.go (1)

91-98: Dead code: outer err checked inside step — always nil here

This block never runs and references ctx.Context() unnecessarily. Remove it.

-        // Regardless we first claim the challenge so that no-other job tries to do the same, this will just annoy acme ratelimits
-        if err != nil {
-            db.Query.UpdateAcmeChallengeStatus(ctx.Context(), w.db.RW(), db.UpdateAcmeChallengeStatusParams{
-                DomainID:  dom.ID,
-                Status:    db.AcmeChallengesStatusFailed,
-                UpdatedAt: sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
-            })
-            return EncryptedCertificate{}, err
-        }
+        // Challenge was claimed in the previous step; proceed to obtain/renew the certificate.

go/apps/ctrl/run.go (1)

415-418: Bug: wrong var logged and misleading message.

Log registerErr, and fix message to match the cron.

-			if registerErr != nil {
-				logger.Error("Failed to register daily report cron job", "error", err)
+			if registerErr != nil {
+				logger.Error("Failed to register certificate challenge cron", "error", registerErr)
 				return
 			}

♻️ Duplicate comments (24)

go/apps/gw/services/caches/caches.go (2)

88-90: Stale=1m makes VM rollbacks laggy; lower to <=15s as previously requested.

This mirrors chronark’s earlier note—waiting up to a minute to purge bad VMs is painful, especially for demos and incident rollback.

Apply:

-    Fresh:    time.Second * 10,
-    Stale:    time.Minute,
+    Fresh:    time.Second * 10,
+    Stale:    time.Second * 15,

---

112-116: Critical — verification_key_by_hash cache can authorize revoked/rotated keys; lower TTLs or add invalidation

• Why: go/apps/gw/services/caches/caches.go config uses Fresh = 1m, Stale = 10m. cache.SWR will serve stale entries until Stale; keys.Get uses s.keyCache.SWR and then validates only cached fields (DeletedAtM / ApiDeletedAtM / Enabled / Expires). A key revoked/rotated out-of-band (or on another node) can remain accepted until eviction/revalidation.
• Evidence: go/apps/gw/services/caches/caches.go (verification_key_by_hash: Fresh=time.Minute, Stale=time.Minute*10, MaxSize=1_000_000). Internal service has Fresh=10s (go/internal/services/caches/caches.go) but still uses SWR; key mutation handlers call KeyCache.Remove (local-only) in various apps/api routes. No distributed/broadcast invalidation found.
• Recommended patch (apply immediately or reduce until invalidation exists):

-    Fresh:    time.Minute,
-    Stale:    time.Minute * 10,
+    Fresh:    time.Second * 10,
+    Stale:    time.Second * 30,

Optional (configurable cap):

-    MaxSize:  1_000_000,
+    MaxSize:  200_000,

• Note: handlers already call KeyCache.Remove on updates (reduces local window), but that does not cover out-of-band or cross-node changes — either lower TTLs as above or implement a robust invalidation/broadcast mechanism.

go/pkg/db/schema.sql (1)

377-388: Consider adding a composite index for scheduler queries.

If you frequently list executable challenges by status and type (and/or next expiry), the single-column status_idx index may not be optimal. Consider adding a composite index to speed up scheduler queries.

 CREATE INDEX `workspace_idx` ON `acme_challenges` (`workspace_id`);
 CREATE INDEX `status_idx` ON `acme_challenges` (`status`);
+CREATE INDEX `status_type_idx` ON `acme_challenges` (`status`,`type`);
+-- Optionally, if you also filter by expiry: CREATE INDEX `status_expires_idx` ON `acme_challenges` (`status`,`expires_at`);

go/apps/ctrl/services/deployment/backends/k8s.go (5)

45-71: Document in-cluster requirement and improve error guidance.

NewK8sBackend uses InClusterConfig which only works when ctrl runs inside a Kubernetes cluster. When ctrl runs outside the cluster, users should use the Docker backend instead.

Consider adding clearer documentation or error messages to guide users:

1. Add a comment at the function level documenting that this backend requires in-cluster execution
2. When InClusterConfig fails, include guidance in the error message about using UNKEY_METALD_BACKEND=docker for out-of-cluster scenarios

 // NewK8sBackend creates a new Kubernetes backend
+// Note: This backend requires ctrl to be running inside a Kubernetes cluster.
+// For local development outside a cluster, use UNKEY_METALD_BACKEND=docker instead.
 func NewK8sBackend(logger logging.Logger) (*K8sBackend, error) {
 	// Create in-cluster config
 	config, err := rest.InClusterConfig()
 	if err != nil {
-		return nil, fmt.Errorf("failed to create in-cluster config: %w", err)
+		return nil, fmt.Errorf("failed to create in-cluster config (ctrl must run inside a Kubernetes cluster, or use UNKEY_METALD_BACKEND=docker for local development): %w", err)
 	}

---

157-169: Consider using ClusterIP service type instead of NodePort.

The service is created as NodePort but the code only uses the ClusterIP. If you don't need external access via node ports, use ClusterIP type to avoid exposing unnecessary ports.

 		Spec: corev1.ServiceSpec{
-			Type: corev1.ServiceTypeNodePort,
+			Type: corev1.ServiceTypeClusterIP,
 			Selector: map[string]string{

---

235-238: Prefer stable DNS names over ClusterIP for reliability.

ClusterIP can be empty during provisioning. Consider using the stable Kubernetes DNS name instead.

-	host := service.Spec.ClusterIP
-	port := int32(8080) // Always use container port for backend service calls
+	// Use stable Kubernetes DNS name
+	host := fmt.Sprintf("%s.%s.svc.cluster.local", deploymentInfo.ServiceName, k.namespace)
+	port := int32(8080)

---

116-136: Add ImagePullPolicy for development efficiency.

Consider adding ImagePullPolicy: corev1.PullIfNotPresent to avoid unnecessary image pulls during development.

 						{
 							Name:  "app",
 							Image: image,
+							ImagePullPolicy: corev1.PullIfNotPresent,

---

299-307: Move regex compilation to package level for efficiency.

The comment claims regexes are "compiled once" but they're actually compiled on every function call. Move them to package-level variables for true one-time compilation.

+var (
+	invalidCharsRegex = regexp.MustCompile(`[^a-z0-9-]+`)
+	multiHyphenRegex  = regexp.MustCompile(`-+`)
+)
+
 // sanitizeK8sNames generates RFC1123-compliant names for Kubernetes resources
 func (k *K8sBackend) sanitizeK8sNames(deploymentID string) (deploymentName, serviceName string) {
 	// Generate a short hash suffix for uniqueness (6 hex chars)
 	hash := sha256.Sum256([]byte(deploymentID))
 	hashSuffix := fmt.Sprintf("%x", hash[:3]) // 3 bytes = 6 hex chars

-	// Replace any character not in [a-z0-9-] with a hyphen
-	// This regex will be compiled once at startup for efficiency
-	invalidCharsRegex := regexp.MustCompile(`[^a-z0-9-]+`)
 	sanitized := invalidCharsRegex.ReplaceAllString(strings.ToLower(deploymentID), "-")

-	// Collapse consecutive hyphens to a single hyphen
-	multiHyphenRegex := regexp.MustCompile(`-+`)
 	sanitized = multiHyphenRegex.ReplaceAllString(sanitized, "-")

go/apps/ctrl/services/deployment/deploy_workflow.go (3)

41-57: Consider returning an error when backend initialization fails.

Currently, NewDeployWorkflow logs the error but continues with a nil backend, which will cause runtime failures later. Consider failing fast by returning an error from the constructor.

-func NewDeployWorkflow(cfg DeployWorkflowConfig) *DeployWorkflow {
+func NewDeployWorkflow(cfg DeployWorkflowConfig) (*DeployWorkflow, error) {
 	// Create the appropriate deployment backend
 	deploymentBackend, err := NewDeploymentBackend(cfg.MetalD, cfg.MetaldBackend, cfg.Logger)
 	if err != nil {
-		// Log error but continue - workflow will fail when trying to use the backend
-		cfg.Logger.Error("failed to initialize deployment backend",
-			"error", err,
-			"fallback", cfg.MetaldBackend)
+		return nil, fmt.Errorf("deploy workflow init failed: %w", err)
 	}
 
-	return &DeployWorkflow{
+	return &DeployWorkflow{
 		db:                cfg.DB,
 		partitionDB:       cfg.PartitionDB,
 		logger:            cfg.Logger,
 		deploymentBackend: deploymentBackend,
 		defaultDomain:     cfg.DefaultDomain,
-	}
+	}, nil
 }

Update callers (e.g., go/apps/ctrl/run.go) to handle the new signature.

---

301-307: Fix sql.NullString handling for empty strings.

Currently marking ProjectID and DeploymentID as valid even when they're empty strings. Only mark as valid when non-empty.

-				ProjectID:    sql.NullString{Valid: true, String: req.ProjectID},
+				ProjectID:    sql.NullString{Valid: req.ProjectID != "", String: req.ProjectID},
 				Domain:       domain,
-				DeploymentID: sql.NullString{Valid: true, String: req.DeploymentID},
+				DeploymentID: sql.NullString{Valid: req.DeploymentID != "", String: req.DeploymentID},

---

271-277: Add DNS-safe label sanitization for auto-generated hostnames.

The current logic may produce invalid DNS labels (e.g., labels exceeding 63 chars, containing invalid characters, or consecutive hyphens). Add proper sanitization to ensure RFC 1123 compliance.

+// sanitizeLabel makes a DNS label: [a-z0-9-], no leading/trailing '-', <=63 chars.
+func sanitizeLabel(s string) string {
+	var b strings.Builder
+	prevDash := false
+	for _, r := range s {
+		ok := (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '-'
+		if !ok {
+			r = '-'
+		}
+		if r == '-' {
+			if prevDash {
+				continue
+			}
+			prevDash = true
+		} else {
+			prevDash = false
+		}
+		if b.Len() < 63 {
+			b.WriteRune(r)
+		}
+	}
+	out := strings.Trim(b.String(), "-")
+	if out == "" {
+		return "x"
+	}
+	return out
+}

 		// Generate primary hostname: branch-identifier-workspace.domain
-		cleanIdentifier := strings.ToLower(strings.ReplaceAll(identifier, "_", "-"))
-		cleanBranch := strings.ToLower(strings.ReplaceAll(branch, "/", "-"))
-		cleanWorkspaceID := strings.ToLower(req.WorkspaceID)
+		cleanIdentifier := sanitizeLabel(strings.ToLower(identifier))
+		cleanBranch := sanitizeLabel(strings.ToLower(branch))
+		cleanWorkspaceID := sanitizeLabel(strings.ToLower(req.WorkspaceID))
 		autoGeneratedHostname := fmt.Sprintf("%s-%s-%s.%s", cleanBranch, cleanIdentifier, cleanWorkspaceID, w.defaultDomain)
+		// Ensure total hostname length doesn't exceed 253 characters
+		if len(autoGeneratedHostname) > 253 {
+			// Trim identifier to fit
+			maxIdentifierLen := 253 - len(cleanBranch) - len(cleanWorkspaceID) - len(w.defaultDomain) - 3
+			if maxIdentifierLen > 0 && maxIdentifierLen < len(cleanIdentifier) {
+				cleanIdentifier = cleanIdentifier[:maxIdentifierLen]
+				autoGeneratedHostname = fmt.Sprintf("%s-%s-%s.%s", cleanBranch, cleanIdentifier, cleanWorkspaceID, w.defaultDomain)
+			}
+		}

go/pkg/db/queries/acme_challenge_list_executable.sql (2)

2-6: Stable ordering: add a deterministic tie-breaker

created_at can tie; include d.id for determinism.

-ORDER BY d.created_at ASC;
+ORDER BY d.created_at ASC, d.id ASC;

---

4-5: Add/verify supporting indexes for new filters

Ensure composite index on acme_challenges(status, expires_at, type, domain_id) to keep this fast.

go/apps/ctrl/services/acme/providers/http_provider.go (4)

47-55: Apply the same timeout to the UPDATE

Keep DB ops bounded.

-err = db.Query.UpdateAcmeChallengePending(ctx, p.db.RW(), db.UpdateAcmeChallengePendingParams{
+err = db.Query.UpdateAcmeChallengePending(ctx, p.db.RW(), db.UpdateAcmeChallengePendingParams{

(Use the timed ctx from above.)

---

41-45: Add timeouts to DB lookups

Avoid Background() to prevent hangs; use a short context timeout.

-ctx := context.Background()
+ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+defer cancel()

---

65-70: Timeouts in CleanUp

Apply a bounded context for FindDomainByDomain.

-ctx := context.Background()
+ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+defer cancel()

---

88-94: Make timeouts configurable

Hard-coded 90s/3s should be config-driven with sane defaults.

 type HTTPProvider struct {
-	db     db.Database
-	logger logging.Logger
+	db         db.Database
+	logger     logging.Logger
+	timeout    time.Duration
+	interval   time.Duration
 }
@@
 func (p *HTTPProvider) Timeout() (time.Duration, time.Duration) {
-	return 90 * time.Second, 3 * time.Second
+	if p.timeout == 0 { p.timeout = 90 * time.Second }
+	if p.interval == 0 { p.interval = 3 * time.Second }
+	return p.timeout, p.interval
 }

go/pkg/db/acme_challenge_list_executable.sql_generated.go (1)

43-44: Avoid IN (NULL) tri-state; short-circuit explicitly

Empty slice should yield no rows deterministically.

-} else {
-    query = strings.Replace(query, "/*SLICE:verification_types*/?", "NULL", 1)
-}
+} else {
+    // No types => force no matches for clarity over IN (NULL) semantics
+    query = strings.Replace(query, "AND dc.type IN (/*SLICE:verification_types*/?)", "AND 1=0", 1)
+}

go/apps/ctrl/services/acme/providers/cloudflare_provider.go (3)

79-87: Persist uses Pending and stores keyAuth — OK.

Consider same 5s timeout wrapper here too.

-	err = db.Query.UpdateAcmeChallengePending(ctx, p.db.RW(), db.UpdateAcmeChallengePendingParams{
+	err = db.Query.UpdateAcmeChallengePending(ctx, p.db.RW(), db.UpdateAcmeChallengePendingParams{

(use the timed ctx from above)

---

99-110: CleanUp should update DB and propagate errors.

Doc says it “updates the database” but it doesn’t; also swallows provider error.

 func (p *CloudflareProvider) CleanUp(domain, token, keyAuth string) error {
-	p.logger.Info("cleaning up dns challenge", "domain", domain)
+	p.logger.Info("cleaning up dns challenge", "domain", domain)

 	// Clean up the DNS record first
-	err := p.provider.CleanUp(domain, token, keyAuth)
-	if err != nil {
-		p.logger.Warn("failed to clean up dns challenge record", "error", err, "domain", domain)
-	}
-
-	return nil
+	if err := p.provider.CleanUp(domain, token, keyAuth); err != nil {
+		// return the error; caller can decide how to log/handle
+		return fmt.Errorf("dns cleanup failed for %s: %w", domain, err)
+	}
+
+	// Clear stored token/authorization
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	searchDomain := domain
+	if domain == p.defaultDomain {
+		searchDomain = "*." + domain
+	}
+	dom, err := db.Query.FindDomainByDomain(ctx, p.db.RO(), searchDomain)
+	if err != nil {
+		return fmt.Errorf("find domain during cleanup failed for %s: %w", searchDomain, err)
+	}
+	if err := db.Query.ClearAcmeChallengeTokens(ctx, p.db.RW(), db.ClearAcmeChallengeTokensParams{
+		DomainID:      dom.ID,
+		Token:         "",
+		Authorization: "",
+		UpdatedAt:     sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
+	}); err != nil {
+		return fmt.Errorf("clear challenge tokens failed for %s: %w", searchDomain, err)
+	}
+	return nil
 }

---

55-66: Bound DB calls with short timeouts.

Avoid unbounded Background() during Present.

-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()

go/apps/ctrl/run.go (3)

190-198: Fail fast on backend init; don’t return a workflow with nil backend.

Make NewDeployWorkflow return (*DeployWorkflow, error) and handle here.

-	deployWorkflow := deployment.NewDeployWorkflow(deployment.DeployWorkflowConfig{
+	deployWorkflow, err := deployment.NewDeployWorkflow(deployment.DeployWorkflowConfig{
 		Logger:        logger,
 		DB:            database,
 		PartitionDB:   partitionDB,
 		MetaldBackend: cfg.MetaldBackend,
 		MetalD:        metaldClient,
 		DefaultDomain: cfg.DefaultDomain,
 	})
+	if err != nil {
+		return fmt.Errorf("unable to init deployment workflow: %w", err)
+	}

And update the constructor to return (*DeployWorkflow, error) and propagate backend init errors.

---

311-331: Make wildcard domain bootstrapping idempotent and avoid hard-coded workspace.

• Use upsert/“do nothing on conflict” or catch unique-violation and re-query.
• Don’t hard-code WorkspaceID "unkey"; make it configurable/validated.

-				_, err := db.Query.FindDomainByDomain(ctx, database.RO(), wildcardDomain)
+				_, err := db.Query.FindDomainByDomain(ctx, database.RO(), wildcardDomain)
 				if err != nil && !db.IsNotFound(err) {
 					logger.Error("Failed to check existing wildcard domain", "error", err, "domain", wildcardDomain)
 				} else if db.IsNotFound(err) {
-					now := time.Now().UnixMilli()
+					now := time.Now().UnixMilli()
 					domainID := uid.New("domain")
 
 					// Insert domain record
-					err = db.Query.InsertDomain(ctx, database.RW(), db.InsertDomainParams{
+					err = db.Query.InsertDomain(ctx, database.RW(), db.InsertDomainParams{
 						ID:          domainID,
-						WorkspaceID: "unkey", // Default workspace for wildcard cert
+						WorkspaceID: cfg.DefaultWorkspaceID, // TODO: add to config; validate exists at startup
 						Domain:      wildcardDomain,
 						CreatedAt:   now,
 						UpdatedAt:   sql.NullInt64{Valid: true, Int64: now},
 						Type:        db.DomainsTypeCustom,
 					})
 					if err != nil {
-						logger.Error("Failed to create wildcard domain", "error", err, "domain", wildcardDomain)
+						// If unique violation, re-query and continue
+						if d, findErr := db.Query.FindDomainByDomain(ctx, database.RO(), wildcardDomain); findErr == nil {
+							domainID = d.ID
+						} else {
+							logger.Error("Failed to create wildcard domain", "error", err, "domain", wildcardDomain)
+							return fmt.Errorf("create wildcard domain: %w", err)
+						}
 					} else {

Also consider wrapping the two inserts in a transaction.

---

335-347: Challenge TTL too long for ACME; shorten or make configurable.

90 days leaves stale “waiting” records. Use a short TTL (e.g., 1–7 days) or config.

-						expiresAt := time.Now().Add(90 * 24 * time.Hour).UnixMilli() // 90 days
+						// Short TTL; only needs to exist until issuance kicks off
+						expiresAt := time.Now().Add(7 * 24 * time.Hour).UnixMilli()

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b81f159 and f3bdd22.

📒 Files selected for processing (17)

• go/apps/ctrl/run.go (7 hunks)
• go/apps/ctrl/services/acme/certificate_workflow.go (3 hunks)
• go/apps/ctrl/services/acme/providers/cloudflare_provider.go (1 hunks)
• go/apps/ctrl/services/acme/providers/http_provider.go (3 hunks)
• go/apps/ctrl/services/deployment/backends/k8s.go (1 hunks)
• go/apps/ctrl/services/deployment/deploy_workflow.go (13 hunks)
• go/apps/gw/run.go (2 hunks)
• go/apps/gw/services/caches/caches.go (3 hunks)
• go/pkg/db/acme_challenge_find_by_token.sql_generated.go (2 hunks)
• go/pkg/db/acme_challenge_list_executable.sql_generated.go (1 hunks)
• go/pkg/db/acme_challenge_update_expires_at.sql_generated.go (0 hunks)
• go/pkg/db/models_generated.go (1 hunks)
• go/pkg/db/querier_generated.go (4 hunks)
• go/pkg/db/queries/acme_challenge_list_executable.sql (1 hunks)
• go/pkg/db/queries/acme_challenge_update_expires_at.sql (0 hunks)
• go/pkg/db/schema.sql (2 hunks)
• internal/db/src/schema/acme_challenges.ts (1 hunks)

💤 Files with no reviewable changes (2)

• go/pkg/db/acme_challenge_update_expires_at.sql_generated.go
• go/pkg/db/queries/acme_challenge_update_expires_at.sql

🧰 Additional context used

🧠 Learnings (12)

📚 Learning: 2025-09-11T14:13:12.081Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/acme/providers/cloudflare_provider.go:56-69
Timestamp: 2025-09-11T14:13:12.081Z
Learning: For the default domain in the Unkey system (go/apps/ctrl/services/acme/providers/cloudflare_provider.go), only wildcard certificates are issued. When domain == p.defaultDomain, the code should always convert to the wildcard form ("*." + domain) and not attempt fallback lookups to the base domain form.

Applied to files:

• go/apps/ctrl/services/acme/providers/cloudflare_provider.go
• go/apps/ctrl/run.go

📚 Learning: 2025-09-11T14:12:30.523Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/run.go:292-299
Timestamp: 2025-09-11T14:12:30.523Z
Learning: In go/apps/ctrl/config.go, the Validate() method already includes validation for Cloudflare API token using assert.NotEmpty() when both c.Acme.Enabled and c.Acme.Cloudflare.Enabled are true, with the error message "cloudflare API token is required when cloudflare is enabled".

Applied to files:

• go/apps/ctrl/services/acme/providers/cloudflare_provider.go
• go/apps/ctrl/run.go

📚 Learning: 2025-09-11T14:12:30.523Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/run.go:292-299
Timestamp: 2025-09-11T14:12:30.523Z
Learning: In go/apps/ctrl/config.go, the Validate() method already includes validation for Cloudflare API token when ACME and Cloudflare are both enabled, checking that cfg.Acme.Cloudflare.ApiToken is not empty.

Applied to files:

• go/apps/ctrl/services/acme/providers/cloudflare_provider.go
• go/apps/ctrl/run.go

📚 Learning: 2025-09-11T08:17:21.409Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/deployment/fallbacks/k8s.go:236-247
Timestamp: 2025-09-11T08:17:21.409Z
Learning: The K8s fallback backend in go/apps/ctrl/services/deployment/fallbacks/k8s.go is specifically designed for scenarios where the ctrl service runs inside a Kubernetes cluster. It should not be used when ctrl runs outside the cluster - in those cases, the Docker fallback should be used instead.

Applied to files:

• go/apps/ctrl/services/deployment/backends/k8s.go

📚 Learning: 2025-08-19T08:57:31.793Z

Learnt from: Flo4604
PR: unkeyed/unkey#3800
File: go/apps/api/integration/multi_node_usagelimiting/run.go:107-126
Timestamp: 2025-08-19T08:57:31.793Z
Learning: Go 1.22+ supports "range over integers" syntax: `for range N` iterates N times, and `for i := range N` iterates with i from 0 to N-1. This is valid Go syntax and should not be flagged as a compilation error.

Applied to files:

• go/apps/ctrl/services/deployment/backends/k8s.go

📚 Learning: 2025-09-11T09:14:45.376Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/deployment/backends/k8s.go:302-310
Timestamp: 2025-09-11T09:14:45.376Z
Learning: The min() and max() functions are built-in to Go 1.21+ and should not be flagged as undefined when reviewing Go code that uses Go 1.21 or later.

Applied to files:

• go/apps/ctrl/services/deployment/backends/k8s.go

📚 Learning: 2025-08-19T08:53:43.952Z

Learnt from: Flo4604
PR: unkeyed/unkey#3800
File: go/apps/api/integration/multi_node_usagelimiting/accuracy/accuracy_test.go:231-240
Timestamp: 2025-08-19T08:53:43.952Z
Learning: Go 1.21+ includes builtin min() and max() functions for ordered types including integers, so min/max calls in Go code should not be flagged as undefined when the project uses Go 1.21 or later.

Applied to files:

• go/apps/ctrl/services/deployment/backends/k8s.go

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• go/apps/ctrl/services/deployment/deploy_workflow.go

📚 Learning: 2025-09-11T14:24:40.944Z

Learnt from: Flo4604
PR: unkeyed/unkey#3944
File: go/apps/ctrl/services/deployment/deploy_workflow.go:326-334
Timestamp: 2025-09-11T14:24:40.944Z
Learning: The InsertDomains method in the bulk queries uses ON DUPLICATE KEY UPDATE, making it an upsert operation that is idempotent and safe for retries, despite the "Insert" naming convention.

Applied to files:

• go/apps/ctrl/services/deployment/deploy_workflow.go

📚 Learning: 2025-08-08T16:10:00.224Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.224Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Applied to files:

• go/apps/ctrl/run.go

📚 Learning: 2025-04-08T09:34:24.576Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: In the Unkey dashboard, when making database queries involving workspaces, use `ctx.workspace.id` directly instead of fetching the workspace separately for better performance and security.

Applied to files:

• go/apps/ctrl/run.go

📚 Learning: 2025-04-08T09:34:24.576Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2872
File: apps/dashboard/lib/trpc/routers/ratelimit/createNamespace.ts:36-39
Timestamp: 2025-04-08T09:34:24.576Z
Learning: When querying or updating namespaces in the Unkey dashboard, always scope the operations to the current workspace using `eq(table.workspaceId, ctx.workspace.id)` to prevent cross-workspace access.

Applied to files:

• go/apps/ctrl/run.go

🧬 Code graph analysis (11)

go/pkg/db/acme_challenge_list_executable.sql_generated.go (1)

go/pkg/db/models_generated.go (1)

• AcmeChallengesType (60-60)

go/apps/ctrl/services/acme/providers/cloudflare_provider.go (2)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/pkg/db/models_generated.go (1)

• AcmeChallengesStatusPending (20-20)

go/pkg/db/acme_challenge_find_by_token.sql_generated.go (1)

go/pkg/db/models_generated.go (1)

• AcmeChallenge (450-460)

go/apps/gw/run.go (3)

go/apps/gw/services/caches/caches.go (2)

• New (74-142)
• Config (38-43)

go/apps/gw/services/certmanager/interface.go (1)

• Config (18-35)

go/apps/gw/services/routing/interface.go (1)

• Config (25-32)

go/apps/ctrl/services/deployment/backends/k8s.go (3)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/pkg/ptr/pointer.go (1)

• P (49-51)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• BackendTypeK8s (14-14)

go/apps/ctrl/services/acme/providers/http_provider.go (1)

go/pkg/db/acme_challenge_clear_tokens.sql_generated.go (1)

• ClearAcmeChallengeTokensParams (19-24)

go/apps/ctrl/services/deployment/deploy_workflow.go (10)

go/pkg/otel/logging/interface.go (1)

• Logger (11-116)

go/apps/ctrl/services/deployment/backends/interface.go (1)

• DeploymentBackend (19-31)

go/apps/ctrl/services/deployment/backend_adapter.go (2)

• DeploymentBackend (16-20)
• NewDeploymentBackend (120-132)

go/pkg/db/models_generated.go (2)

• Domain (555-564)
• Deployment (526-544)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/pkg/git/git.go (2)

• Info (9-15)
• GetInfo (19-51)

go/pkg/partition/db/vm_upsert.sql_generated.go (1)

• UpsertVMParams (24-31)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/partition/db/gateway_upsert.sql_generated.go (1)

• UpsertGatewayParams (20-24)

go/apps/ctrl/config.go (1)

• Config (35-88)

internal/db/src/schema/acme_challenges.ts (1)

internal/db/src/schema/util/lifecycle_dates.ts (1)

• lifecycleDates (3-8)

go/pkg/db/querier_generated.go (4)

go/pkg/db/acme_challenge_clear_tokens.sql_generated.go (1)

• ClearAcmeChallengeTokensParams (19-24)

go/pkg/db/models_generated.go (1)

• AcmeChallengesType (60-60)

go/pkg/db/acme_challenge_list_executable.sql_generated.go (1)

• ListExecutableChallengesRow (21-25)

go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go (1)

• UpdateAcmeChallengeVerifiedWithExpiryParams (19-24)

go/apps/ctrl/services/acme/certificate_workflow.go (3)

go/pkg/db/models_generated.go (3)

• Domain (555-564)
• AcmeChallengesStatusPending (20-20)
• AcmeChallengesStatusVerified (21-21)

go/pkg/hydra/step.go (2)

• Step (67-276)
• StepVoid (302-310)

go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go (1)

• UpdateAcmeChallengeVerifiedWithExpiryParams (19-24)

go/apps/ctrl/run.go (6)

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

• NewDeployWorkflow (41-58)
• DeployWorkflowConfig (31-38)

go/apps/ctrl/services/acme/providers/cloudflare_provider.go (2)

• NewCloudflareProvider (35-51)
• CloudflareProviderConfig (27-32)

go/pkg/db/handle_err_no_rows.go (1)

• IsNotFound (8-10)

go/pkg/uid/uid.go (1)

• New (97-127)

go/pkg/db/domain_insert.sql_generated.go (1)

• InsertDomainParams (38-47)

go/pkg/db/models_generated.go (6)

• Domain (555-564)
• DomainsTypeCustom (242-242)
• AcmeChallengesStatusWaiting (19-19)
• AcmeChallengesTypeDNS01 (64-64)
• AcmeChallengesType (60-60)
• AcmeChallengesTypeHTTP01 (63-63)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Test Packages / Test

🔇 Additional comments (23)

go/apps/gw/run.go (1)

275-275: Ratelimit nil is safe for router paths — no dereferences found. go/apps/gw/router/services.go declares Ratelimit ratelimit.Service (line 22) and a grep of go/apps/gw/router returned only that definition, no other uses; router code won't dereference it.

go/apps/gw/services/caches/caches.go (1)

76-82: GatewayConfig cache TTLs look good for fast rollbacks.

5s fresh / 30s stale is a solid default and the added Clock improves testability.

go/pkg/db/models_generated.go (1)

450-460: LGTM! Schema changes align with the primary key migration.

The struct correctly reflects the database schema changes:

• DomainID is now the first field (as the primary key should be)
• The auto-increment ID field has been removed
• Field order and types match the schema definition

internal/db/src/schema/acme_challenges.ts (1)

7-25: LGTM! Primary key migration correctly implemented.

The TypeScript schema correctly reflects the database changes:

• domainId is now the primary key
• String lengths reduced from 256 to 255 for consistency
• Appropriate indices added for querying

go/apps/ctrl/services/deployment/backends/k8s.go (1)

81-85: LGTM! Go 1.22+ range over integers syntax is valid.

The for i := range vmCount syntax is correct for Go 1.22+ where ranging over an integer iterates from 0 to N-1.

go/apps/ctrl/services/deployment/deploy_workflow.go (2)

599-623: LGTM! Local hostname detection is properly implemented.

The function correctly identifies local development hostnames using exact matches and suffix checks, properly excluding .dev which is a real TLD.

---

348-353: Resolved — protojson encoding is consistent for gateway configs.

Verified: deploy_workflow.go uses protojson.Marshal for writes (lines 348, 497) and protojson.Unmarshal for reads (line 485), with a clarifying comment at 569–572; gw/services/routing/service.go reads via protojson.Unmarshal (line 61).

go/pkg/db/acme_challenge_find_by_token.sql_generated.go (2)

13-14: Column order change is consistent and safe

SELECT list and the doc comment reflect the struct shape after removing ID; good.

Also applies to: 24-24

---

28-37: Scan mapping matches AcmeChallenge struct

The Scan order aligns with DomainID→UpdatedAt in models_generated.go.

go/pkg/db/acme_challenge_list_executable.sql_generated.go (1)

14-18: Result shape and scan order look correct

WorkspaceID → Type → Domain scan matches SELECT list.

Also applies to: 53-54

go/apps/ctrl/services/acme/certificate_workflow.go (3)

68-70: Good use of stepCtx inside hydra.Step callbacks

DB calls now inherit per-step deadlines/tracing.

Also applies to: 75-81

---

169-175: Finalize with verified+expiry looks right

DomainID-based update aligns with new PK; parameters are correct.

---

154-164: Incorrect uniqueness assumption — schema enforces UNIQUE(hostname); use upsert/update-on-conflict

go/pkg/partition/db/schema.sql defines certificates with UNIQUE KEY unique_hostname (hostname) (around lines 61–71). Uniqueness is on hostname only (not (workspace_id, hostname)); InsertCertificate will hit duplicate-key errors on renewals. Replace the insert with an upsert or implement INSERT ... ON DUPLICATE KEY UPDATE / update-existing-row (add an UpsertCertificate query or equivalent).

Likely an incorrect or invalid review comment.

go/pkg/db/querier_generated.go (3)

13-18: Add looks good; aligns with cleanup flow.

The ClearAcmeChallengeTokens API fits the provider cleanup need.

---

124-125: Find-by-token projection update is fine.

Matches the domain_id–centric schema.

---

1567-1572: Verified-with-expiry updater looks correct.

API matches the new renewal flow.

go/apps/ctrl/services/acme/providers/cloudflare_provider.go (4)

15-16: Good: interface assertions cover Timeout support.

---

34-41: Provider config sensible (TTL/timeout).

---

71-77: Good: token redacted in logs.

---

112-115: Timeout delegation OK.

go/apps/ctrl/run.go (3)

291-301: Cloudflare provider wiring looks correct; token validation is already in config.Validate().

---

375-382: Good: pass supportedTypes into ListExecutableChallenges.

---

384-393: Heads-up: depends on expires_at unit fix in SQL.

Ensure the query compares ms to ms as noted in db comment.