Deployment and lifecycle management for Nix
cleanup: remove agent->garden compat shims and narrow garden:register to create-only
- Remove migrate_agent_sid/1 from Garden.Storage (all gardens are on 0.8.0+)
- Narrow garden:register permission from all(Garden) to create(Garden)
- Update socket auth check from read? to create? to match narrowed permission
sow-132
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
+2
-19
-17
apps/garden/lib/garden/storage.ex
-17
apps/garden/lib/garden/storage.ex
···
68
68
69
69
data =
70
70
raw
71
-
|> migrate_agent_sid()
72
71
|> ensure_fields()
73
72
74
73
if data != raw do
···
113
112
Logger.debug(msg: "Wrote storage", file: file)
114
113
%{state | data: data}
115
114
end
116
-
117
-
defp migrate_agent_sid(%{agent_sid: sid} = data) when is_binary(sid) do
118
-
Logger.info(msg: "Migrating agent_sid to garden_sid", garden_sid: sid)
119
-
120
-
data
121
-
|> Map.delete(:agent_sid)
122
-
|> Map.put(:garden_sid, sid)
123
-
|> then(
124
-
&struct!(
125
-
__MODULE__,
126
-
Map.take(&1, [:local_sid, :garden_sid, :subscriptions, :oauth_credentials])
127
-
)
128
-
)
129
-
end
130
-
131
-
defp migrate_agent_sid(%__MODULE__{} = data), do: data
132
115
133
116
# Ensure deserialized structs have all current fields (handles schema evolution)
134
117
defp ensure_fields(%{__struct__: __MODULE__} = data) do
+1
-1
apps/sower/lib/sower_web/garden_socket.ex
+1
-1
apps/sower/lib/sower_web/garden_socket.ex
···
74
74
defp authenticate_token(base64_token) do
75
75
with {:ok, decoded} <- Base.decode64(base64_token),
76
76
{:ok, access_token} <- Sower.Accounts.AccessToken.authenticate(decoded) do
77
-
if access_token |> can() |> read?(Sower.Orchestration.Garden) do
77
+
if access_token |> can() |> create?(Sower.Orchestration.Garden) do
78
78
{:ok, access_token}
79
79
else
80
80
Logger.error(