A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
ui fixes for repo page, fix scanner priority, cleanup goreleaser scripts
+3410
-730
+1
.goreleaser.yaml
+1
.goreleaser.yaml
+19
-137
.tangled/workflows/release-credential-helper.yml
+19
-137
.tangled/workflows/release-credential-helper.yml
···
1
1
# Tangled Workflow: Release Credential Helper
2
2
#
3
-
# This workflow builds cross-platform binaries for the credential helper.
4
-
# Creates tarballs for curl/bash installation and provides instructions
5
-
# for updating the Homebrew formula.
3
+
# Builds cross-platform binaries using GoReleaser and publishes
4
+
# artifacts to the repo owner's PDS as sh.tangled.repo.artifact records.
6
5
#
7
6
# Triggers on version tags (v*) pushed to the repository.
7
+
#
8
+
# Required secrets: PUBLISH_APP_PASSWORD (ATProto app password for artifact publishing)
8
9
9
10
when:
10
11
- event: ["manual"]
11
12
tag: ["v*"]
12
13
13
-
engine: "nixery"
14
-
15
-
dependencies:
16
-
nixpkgs:
17
-
- go_1_24 # Go 1.24+ for building
18
-
- goreleaser # For building multi-platform binaries
19
-
- curl # Required by go generate for downloading vendor assets
20
-
- gnugrep # Required for tag detection
21
-
- gnutar # Required for creating tarballs
22
-
- gzip # Required for compressing tarballs
23
-
- coreutils # Required for sha256sum
14
+
engine: kubernetes
15
+
image: golang:1.25-trixie
16
+
architecture: amd64
24
17
25
18
environment:
26
-
CGO_ENABLED: "0" # Build static binaries
19
+
CGO_ENABLED: "0"
20
+
REPO_RKEY: "3m2pjukohu322"
27
21
28
22
steps:
29
-
- name: Get tag for current commit
30
-
command: |
31
-
# Fetch tags (shallow clone doesn't include them by default)
32
-
git fetch --tags
33
-
34
-
# Find the tag that points to the current commit
35
-
TAG=$(git tag --points-at HEAD | grep -E '^v[0-9]' | head -n1)
36
-
37
-
if [ -z "$TAG" ]; then
38
-
echo "Error: No version tag found for current commit"
39
-
echo "Available tags:"
40
-
git tag
41
-
echo "Current commit:"
42
-
git rev-parse HEAD
43
-
exit 1
44
-
fi
45
-
46
-
echo "Building version: $TAG"
47
-
echo "$TAG" > .version
48
-
49
-
# Also get the commit hash for reference
50
-
COMMIT_HASH=$(git rev-parse HEAD)
51
-
echo "Commit: $COMMIT_HASH"
52
-
53
-
- name: Build binaries with GoReleaser
23
+
- name: Install tools
54
24
command: |
55
-
VERSION=$(cat .version)
56
-
export VERSION
57
-
58
-
# Build for all platforms using GoReleaser
59
-
goreleaser build --clean --snapshot --config .goreleaser.yaml
60
-
61
-
# List what was built
62
-
echo "Built artifacts:"
63
-
if [ -d "dist" ]; then
64
-
ls -lh dist/
65
-
else
66
-
echo "Error: dist/ directory was not created by GoReleaser"
67
-
exit 1
68
-
fi
69
-
70
-
- name: Package artifacts
71
-
command: |
72
-
VERSION=$(cat .version)
73
-
VERSION_NO_V=${VERSION#v} # Remove 'v' prefix for filenames
74
-
75
-
cd dist
76
-
77
-
# Create tarballs for each platform
78
-
# GoReleaser creates directories like: credential-helper_{os}_{arch}_v{goversion}
79
-
80
-
# Darwin x86_64
81
-
if [ -d "credential-helper_darwin_amd64_v1" ]; then
82
-
tar czf "docker-credential-atcr_${VERSION_NO_V}_Darwin_x86_64.tar.gz" \
83
-
-C credential-helper_darwin_amd64_v1 docker-credential-atcr
84
-
echo "Created: docker-credential-atcr_${VERSION_NO_V}_Darwin_x86_64.tar.gz"
85
-
fi
86
-
87
-
# Darwin arm64
88
-
for dir in credential-helper_darwin_arm64*; do
89
-
if [ -d "$dir" ]; then
90
-
tar czf "docker-credential-atcr_${VERSION_NO_V}_Darwin_arm64.tar.gz" \
91
-
-C "$dir" docker-credential-atcr
92
-
echo "Created: docker-credential-atcr_${VERSION_NO_V}_Darwin_arm64.tar.gz"
93
-
break
94
-
fi
95
-
done
25
+
go install github.com/bluesky-social/goat@latest
26
+
go install github.com/goreleaser/goreleaser/v2@latest
27
+
apt-get update && apt-get install -y jq xxd
96
28
97
-
# Linux x86_64
98
-
if [ -d "credential-helper_linux_amd64_v1" ]; then
99
-
tar czf "docker-credential-atcr_${VERSION_NO_V}_Linux_x86_64.tar.gz" \
100
-
-C credential-helper_linux_amd64_v1 docker-credential-atcr
101
-
echo "Created: docker-credential-atcr_${VERSION_NO_V}_Linux_x86_64.tar.gz"
102
-
fi
103
-
104
-
# Linux arm64
105
-
for dir in credential-helper_linux_arm64*; do
106
-
if [ -d "$dir" ]; then
107
-
tar czf "docker-credential-atcr_${VERSION_NO_V}_Linux_arm64.tar.gz" \
108
-
-C "$dir" docker-credential-atcr
109
-
echo "Created: docker-credential-atcr_${VERSION_NO_V}_Linux_arm64.tar.gz"
110
-
break
111
-
fi
112
-
done
113
-
114
-
echo ""
115
-
echo "Tarballs ready:"
116
-
ls -lh *.tar.gz 2>/dev/null || echo "Warning: No tarballs created"
117
-
118
-
- name: Generate checksums
29
+
- name: Build and publish release
119
30
command: |
120
-
VERSION=$(cat .version)
121
-
VERSION_NO_V=${VERSION#v}
122
-
123
-
cd dist
124
-
125
-
echo ""
126
-
echo "=========================================="
127
-
echo "SHA256 Checksums"
128
-
echo "=========================================="
129
-
echo ""
31
+
git fetch --tags
130
32
131
-
# Generate checksums file
132
-
sha256sum docker-credential-atcr_${VERSION_NO_V}_*.tar.gz 2>/dev/null | tee checksums.txt || echo "No checksums generated"
33
+
# REPO_URL is built from Tangled-provided env vars
34
+
export REPO_URL="at://${TANGLED_REPO_DID}/sh.tangled.repo/${REPO_RKEY}"
35
+
export APP_PASSWORD="${PUBLISH_APP_PASSWORD}"
133
36
134
-
- name: Next steps
135
-
command: |
136
-
VERSION=$(cat .version)
137
-
138
-
echo ""
139
-
echo "=========================================="
140
-
echo "Release $VERSION is ready!"
141
-
echo "=========================================="
142
-
echo ""
143
-
echo "Distribution tarballs are in: dist/"
144
-
echo ""
145
-
echo "Next steps:"
146
-
echo ""
147
-
echo "1. Upload tarballs to your hosting/CDN (or GitHub releases)"
148
-
echo ""
149
-
echo "2. For Homebrew users, update the formula:"
150
-
echo " ./scripts/update-homebrew-formula.sh $VERSION"
151
-
echo " # Then update Formula/docker-credential-atcr.rb and push to homebrew-tap"
152
-
echo ""
153
-
echo "3. For curl/bash installation, users can download directly:"
154
-
echo " curl -L <your-cdn>/docker-credential-atcr_<version>_<os>_<arch>.tar.gz | tar xz"
155
-
echo " sudo mv docker-credential-atcr /usr/local/bin/"
37
+
goreleaser release --clean
+18
-17
config-appview.example.yaml
+18
-17
config-appview.example.yaml
···
91
91
company_name: ""
92
92
# Governing law jurisdiction for legal terms.
93
93
jurisdiction: ""
94
+
# AI-powered image advisor settings.
95
+
ai:
96
+
# Anthropic API key for AI Image Advisor. Also reads CLAUDE_API_KEY env var as fallback.
97
+
api_key: ""
94
98
# Stripe billing integration (requires -tags billing build).
95
99
billing:
96
100
# Stripe secret key. Can also be set via STRIPE_SECRET_KEY env var (takes precedence). Billing is enabled automatically when set.
···
100
104
# ISO 4217 currency code (e.g. "usd").
101
105
currency: usd
102
106
# Redirect URL after successful checkout. Use {base_url} placeholder.
103
-
success_url: '{base_url}/settings#storage'
107
+
success_url: '{base_url}/settings#billing'
104
108
# Redirect URL after cancelled checkout. Use {base_url} placeholder.
105
-
cancel_url: '{base_url}/settings#storage'
109
+
cancel_url: '{base_url}/settings#billing'
106
110
# Subscription tiers ordered by rank (lowest to highest).
107
111
tiers:
108
112
- # Tier name. Position in list determines rank (0-based).
···
119
123
max_webhooks: 1
120
124
# Allow all webhook trigger types (not just first-scan).
121
125
webhook_all_triggers: false
126
+
# Enable AI Image Advisor for this tier.
127
+
ai_advisor: false
128
+
# Show supporter badge on user profiles for subscribers at this tier.
122
129
supporter_badge: false
123
130
- # Tier name. Position in list determines rank (0-based).
124
131
name: Supporter
···
133
140
# Maximum webhooks for this tier (-1 = unlimited).
134
141
max_webhooks: 1
135
142
# Allow all webhook trigger types (not just first-scan).
136
-
webhook_all_triggers: false
143
+
webhook_all_triggers: true
144
+
# Enable AI Image Advisor for this tier.
145
+
ai_advisor: true
146
+
# Show supporter badge on user profiles for subscribers at this tier.
137
147
supporter_badge: true
138
148
- # Tier name. Position in list determines rank (0-based).
139
149
name: bosun
···
149
159
max_webhooks: 10
150
160
# Allow all webhook trigger types (not just first-scan).
151
161
webhook_all_triggers: true
162
+
# Enable AI Image Advisor for this tier.
163
+
ai_advisor: true
164
+
# Show supporter badge on user profiles for subscribers at this tier.
152
165
supporter_badge: true
153
-
# - # Tier name. Position in list determines rank (0-based).
154
-
# name: quartermaster
155
-
# # Short description shown on the plan card.
156
-
# description: Maximum storage for power users
157
-
# # List of features included in this tier.
158
-
# features: []
159
-
# # Stripe price ID for monthly billing. Empty = free tier.
160
-
# stripe_price_monthly: price_xxx
161
-
# # Stripe price ID for yearly billing.
162
-
# stripe_price_yearly: price_yyy
163
-
# # Maximum webhooks for this tier (-1 = unlimited).
164
-
# max_webhooks: -1
165
-
# # Allow all webhook trigger types (not just first-scan).
166
-
# webhook_all_triggers: true
166
+
# Show supporter badge on hold owner profiles.
167
+
owner_badge: true
+47
lexicons/io/atcr/hold/stats/daily.json
+47
lexicons/io/atcr/hold/stats/daily.json
···
1
+
{
2
+
"lexicon": 1,
3
+
"id": "io.atcr.hold.stats.daily",
4
+
"defs": {
5
+
"main": {
6
+
"type": "record",
7
+
"key": "any",
8
+
"description": "Daily repository statistics stored in the hold's embedded PDS. Tracks pull/push counts per owner+repository+date combination. Record key is deterministic: base32(sha256(ownerDID + \"/\" + repository + \"/\" + date)[:16]). Complements cumulative io.atcr.hold.stats records by providing daily granularity for trend charts.",
9
+
"record": {
10
+
"type": "object",
11
+
"required": ["ownerDid", "repository", "date", "pullCount", "pushCount", "updatedAt"],
12
+
"properties": {
13
+
"ownerDid": {
14
+
"type": "string",
15
+
"format": "did",
16
+
"description": "DID of the image owner (e.g., did:plc:xyz123)"
17
+
},
18
+
"repository": {
19
+
"type": "string",
20
+
"description": "Repository name (e.g., myapp)",
21
+
"maxLength": 256
22
+
},
23
+
"date": {
24
+
"type": "string",
25
+
"description": "Date in YYYY-MM-DD format (UTC)",
26
+
"maxLength": 10
27
+
},
28
+
"pullCount": {
29
+
"type": "integer",
30
+
"minimum": 0,
31
+
"description": "Number of manifest downloads on this date"
32
+
},
33
+
"pushCount": {
34
+
"type": "integer",
35
+
"minimum": 0,
36
+
"description": "Number of manifest uploads on this date"
37
+
},
38
+
"updatedAt": {
39
+
"type": "string",
40
+
"format": "datetime",
41
+
"description": "RFC3339 timestamp of when this record was last updated"
42
+
}
43
+
}
44
+
}
45
+
}
46
+
}
47
+
}
+17
-2
pkg/appview/config.go
+17
-2
pkg/appview/config.go
···
32
32
Auth AuthConfig `yaml:"auth" comment:"JWT authentication settings."`
33
33
CredentialHelper CredentialHelperConfig `yaml:"credential_helper" comment:"Credential helper download settings."`
34
34
Legal LegalConfig `yaml:"legal" comment:"Legal page customization for self-hosted instances."`
35
+
AI AIConfig `yaml:"ai" comment:"AI-powered image advisor settings."`
35
36
Billing billing.Config `yaml:"billing" comment:"Stripe billing integration (requires -tags billing build)."`
36
37
Distribution *configuration.Configuration `yaml:"-"` // Wrapped distribution config for compatibility
37
38
}
···
140
141
Jurisdiction string `yaml:"jurisdiction" comment:"Governing law jurisdiction for legal terms."`
141
142
}
142
143
144
+
// AIConfig defines AI-powered image advisor settings
145
+
type AIConfig struct {
146
+
// Anthropic API key for the AI Image Advisor feature.
147
+
APIKey string `yaml:"api_key" comment:"Anthropic API key for AI Image Advisor. Also reads CLAUDE_API_KEY env var as fallback."`
148
+
}
149
+
143
150
// setDefaults registers all default values on the given Viper instance.
144
151
func setDefaults(v *viper.Viper) {
145
152
v.SetDefault("version", "0.1")
···
188
195
// Log shipper defaults
189
196
v.SetDefault("log_shipper.batch_size", 100)
190
197
v.SetDefault("log_shipper.flush_interval", "5s")
198
+
199
+
// AI defaults
200
+
v.SetDefault("ai.api_key", "")
191
201
192
202
// Legal defaults
193
203
v.SetDefault("legal.company_name", "")
···
213
223
214
224
// Populate example billing tiers so operators see the structure
215
225
cfg.Billing.Currency = "usd"
216
-
cfg.Billing.SuccessURL = "{base_url}/settings#storage"
217
-
cfg.Billing.CancelURL = "{base_url}/settings#storage"
226
+
cfg.Billing.SuccessURL = "{base_url}/settings#billing"
227
+
cfg.Billing.CancelURL = "{base_url}/settings#billing"
218
228
cfg.Billing.OwnerBadge = true
219
229
cfg.Billing.Tiers = []billing.BillingTierConfig{
220
230
{Name: "deckhand", Description: "Get started with basic storage", MaxWebhooks: 1},
···
253
263
// Post-load: CompanyName defaults to ClientName
254
264
if cfg.Legal.CompanyName == "" {
255
265
cfg.Legal.CompanyName = cfg.Server.ClientName
266
+
}
267
+
268
+
// Post-load: AI API key fallback to CLAUDE_API_KEY env
269
+
if cfg.AI.APIKey == "" {
270
+
cfg.AI.APIKey = os.Getenv("CLAUDE_API_KEY")
256
271
}
257
272
258
273
// Validation
+7
pkg/appview/db/migrations/0019_create_advisor_suggestions.yaml
+7
pkg/appview/db/migrations/0019_create_advisor_suggestions.yaml
+13
pkg/appview/db/migrations/0020_add_subject_digest.yaml
+13
pkg/appview/db/migrations/0020_add_subject_digest.yaml
···
1
+
description: Add subject_digest column to manifests for tracking OCI referrers (attestations, signatures)
2
+
query: |
3
+
ALTER TABLE manifests ADD COLUMN subject_digest TEXT;
4
+
CREATE INDEX IF NOT EXISTS idx_manifests_subject_digest ON manifests(subject_digest);
5
+
UPDATE manifests SET subject_digest = 'backfill'
6
+
WHERE artifact_type = 'unknown'
7
+
AND media_type NOT LIKE '%index%'
8
+
AND media_type NOT LIKE '%manifest.list%'
9
+
AND id IN (
10
+
SELECT m.id FROM manifests m
11
+
JOIN manifest_references mr ON mr.digest = m.digest
12
+
WHERE mr.is_attestation = 1
13
+
);
+12
pkg/appview/db/migrations/0021_create_repository_stats_daily.yaml
+12
pkg/appview/db/migrations/0021_create_repository_stats_daily.yaml
···
1
+
description: Add daily repository stats table for pull/push trend tracking
2
+
query: |
3
+
CREATE TABLE IF NOT EXISTS repository_stats_daily (
4
+
did TEXT NOT NULL,
5
+
repository TEXT NOT NULL,
6
+
date TEXT NOT NULL,
7
+
pull_count INTEGER NOT NULL DEFAULT 0,
8
+
push_count INTEGER NOT NULL DEFAULT 0,
9
+
PRIMARY KEY(did, repository, date),
10
+
FOREIGN KEY(did) REFERENCES users(did) ON DELETE CASCADE
11
+
);
12
+
CREATE INDEX IF NOT EXISTS idx_repo_stats_daily_date ON repository_stats_daily(date DESC);
+10
pkg/appview/db/models.go
+10
pkg/appview/db/models.go
···
25
25
ConfigDigest string
26
26
ConfigSize int64
27
27
ArtifactType string // container-image, helm-chart, unknown
28
+
SubjectDigest string // digest of the parent manifest (for attestations/referrers)
28
29
CreatedAt time.Time
29
30
// Annotations removed - now stored in repository_annotations table
30
31
}
···
90
91
LastPull *time.Time `json:"last_pull,omitempty"`
91
92
PushCount int `json:"push_count"`
92
93
LastPush *time.Time `json:"last_push,omitempty"`
94
+
}
95
+
96
+
// DailyStats represents daily pull/push statistics for a repository
97
+
type DailyStats struct {
98
+
DID string `json:"did"`
99
+
Repository string `json:"repository"`
100
+
Date string `json:"date"`
101
+
PullCount int `json:"pull_count"`
102
+
PushCount int `json:"push_count"`
93
103
}
94
104
95
105
// RepositoryWithStats combines repository data with statistics
+141
-11
pkg/appview/db/queries.go
+141
-11
pkg/appview/db/queries.go
···
627
627
_, err := db.Exec(`
628
628
INSERT INTO manifests
629
629
(did, repository, digest, hold_endpoint, schema_version, media_type,
630
-
config_digest, config_size, artifact_type, created_at)
631
-
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
630
+
config_digest, config_size, artifact_type, subject_digest, created_at)
631
+
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
632
632
ON CONFLICT(did, repository, digest) DO UPDATE SET
633
633
hold_endpoint = excluded.hold_endpoint,
634
634
schema_version = excluded.schema_version,
635
635
media_type = excluded.media_type,
636
636
config_digest = excluded.config_digest,
637
637
config_size = excluded.config_size,
638
-
artifact_type = excluded.artifact_type
638
+
artifact_type = excluded.artifact_type,
639
+
subject_digest = excluded.subject_digest
639
640
WHERE excluded.hold_endpoint != manifests.hold_endpoint
640
641
OR excluded.schema_version != manifests.schema_version
641
642
OR excluded.media_type != manifests.media_type
642
643
OR excluded.config_digest IS NOT manifests.config_digest
643
644
OR excluded.config_size IS NOT manifests.config_size
644
645
OR excluded.artifact_type != manifests.artifact_type
646
+
OR excluded.subject_digest IS NOT manifests.subject_digest
645
647
`, manifest.DID, manifest.Repository, manifest.Digest, manifest.HoldEndpoint,
646
648
manifest.SchemaVersion, manifest.MediaType, manifest.ConfigDigest,
647
-
manifest.ConfigSize, manifest.ArtifactType, manifest.CreatedAt)
649
+
manifest.ConfigSize, manifest.ArtifactType,
650
+
sql.NullString{String: manifest.SubjectDigest, Valid: manifest.SubjectDigest != ""},
651
+
manifest.CreatedAt)
648
652
649
653
if err != nil {
650
654
return 0, err
···
776
780
// Single-arch tags will have empty Platforms slice (platform is obvious for single-arch)
777
781
// Attestation references (unknown/unknown platforms) are filtered out but tracked via HasAttestations
778
782
func GetTagsWithPlatforms(db DBTX, did, repository string, limit, offset int) ([]TagWithPlatforms, error) {
779
-
rows, err := db.Query(`
783
+
return getTagsWithPlatformsFiltered(db, did, repository, "", limit, offset)
784
+
}
785
+
786
+
// getTagsWithPlatformsFiltered is the shared implementation for GetTagsWithPlatforms and GetTagByName.
787
+
// If tagName is non-empty, only that specific tag is returned.
788
+
func getTagsWithPlatformsFiltered(db DBTX, did, repository, tagName string, limit, offset int) ([]TagWithPlatforms, error) {
789
+
var tagFilter string
790
+
var args []any
791
+
if tagName != "" {
792
+
tagFilter = "AND tag = ?"
793
+
args = append(args, did, repository, tagName, limit, offset)
794
+
} else {
795
+
args = append(args, did, repository, limit, offset)
796
+
}
797
+
798
+
query := `
780
799
WITH paged_tags AS (
781
800
SELECT id, did, repository, tag, digest, created_at
782
801
FROM tags
783
802
WHERE did = ? AND repository = ?
803
+
` + tagFilter + `
784
804
ORDER BY created_at DESC
785
805
LIMIT ? OFFSET ?
786
806
)
···
806
826
JOIN manifests m ON t.digest = m.digest AND t.did = m.did AND t.repository = m.repository
807
827
LEFT JOIN manifest_references mr ON m.id = mr.manifest_id
808
828
LEFT JOIN manifests child_m ON mr.digest = child_m.digest AND child_m.did = t.did AND child_m.repository = t.repository
809
-
ORDER BY t.created_at DESC, mr.reference_index
810
-
`, did, repository, limit, offset)
829
+
ORDER BY t.created_at DESC, mr.reference_index`
811
830
831
+
rows, err := db.Query(query, args...)
812
832
if err != nil {
813
833
return nil, err
814
834
}
···
878
898
return result, nil
879
899
}
880
900
881
-
// DeleteManifest deletes a manifest and its associated layers
882
-
// If repository is empty, deletes all manifests matching did and digest
901
+
// DeleteManifest deletes a manifest and its associated layers.
902
+
// Also deletes any attestation manifests that reference this manifest via subject_digest.
903
+
// If repository is empty, deletes all manifests matching did and digest.
883
904
func DeleteManifest(db DBTX, did, repository, digest string) error {
884
905
var err error
885
906
if repository == "" {
886
-
// Delete by DID + digest only (used when repository is unknown, e.g., Jetstream DELETE events)
907
+
// Delete attestation children first, then the manifest itself
908
+
_, _ = db.Exec(`DELETE FROM manifests WHERE did = ? AND subject_digest = ?`, did, digest)
887
909
_, err = db.Exec(`DELETE FROM manifests WHERE did = ? AND digest = ?`, did, digest)
888
910
} else {
889
-
// Delete specific manifest
911
+
_, _ = db.Exec(`DELETE FROM manifests WHERE did = ? AND repository = ? AND subject_digest = ?`, did, repository, digest)
890
912
_, err = db.Exec(`DELETE FROM manifests WHERE did = ? AND repository = ? AND digest = ?`, did, repository, digest)
891
913
}
892
914
return err
···
1114
1136
LEFT JOIN tags t ON m.digest = t.digest AND m.did = t.did AND m.repository = t.repository
1115
1137
LEFT JOIN manifest_references mr ON m.id = mr.manifest_id
1116
1138
WHERE m.did = ? AND m.repository = ?
1139
+
AND m.subject_digest IS NULL
1140
+
AND m.artifact_type != 'unknown'
1117
1141
AND (
1118
1142
-- Include manifest lists
1119
1143
m.media_type LIKE '%index%' OR m.media_type LIKE '%manifest.list%'
···
1414
1438
FROM manifests m
1415
1439
LEFT JOIN tags t ON m.digest = t.digest AND m.did = t.did AND m.repository = t.repository
1416
1440
WHERE m.did = ? AND m.repository = ?
1441
+
AND m.subject_digest IS NULL
1417
1442
AND (
1418
1443
m.media_type LIKE '%index%' OR m.media_type LIKE '%manifest.list%'
1419
1444
OR
···
2435
2460
}
2436
2461
return true, nil
2437
2462
}
2463
+
2464
+
// GetTagByName returns a single tag with platform information by tag name.
2465
+
// Returns nil, nil if the tag doesn't exist.
2466
+
func GetTagByName(db DBTX, did, repository, tagName string) (*TagWithPlatforms, error) {
2467
+
tags, err := getTagsWithPlatformsFiltered(db, did, repository, tagName, 1, 0)
2468
+
if err != nil {
2469
+
return nil, err
2470
+
}
2471
+
if len(tags) == 0 {
2472
+
return nil, nil
2473
+
}
2474
+
return &tags[0], nil
2475
+
}
2476
+
2477
+
// GetAllTagNames returns all tag names for a repository, ordered by most recent first.
2478
+
func GetAllTagNames(db DBTX, did, repository string) ([]string, error) {
2479
+
rows, err := db.Query(`
2480
+
SELECT tag FROM tags
2481
+
WHERE did = ? AND repository = ?
2482
+
ORDER BY created_at DESC
2483
+
`, did, repository)
2484
+
if err != nil {
2485
+
return nil, err
2486
+
}
2487
+
defer rows.Close()
2488
+
2489
+
var names []string
2490
+
for rows.Next() {
2491
+
var name string
2492
+
if err := rows.Scan(&name); err != nil {
2493
+
return nil, err
2494
+
}
2495
+
names = append(names, name)
2496
+
}
2497
+
return names, rows.Err()
2498
+
}
2499
+
2500
+
// GetLayerCountForManifest returns the number of layers for a manifest identified by digest.
2501
+
func GetLayerCountForManifest(db DBTX, did, repository, digest string) (int, error) {
2502
+
var count int
2503
+
err := db.QueryRow(`
2504
+
SELECT COUNT(*) FROM layers l
2505
+
JOIN manifests m ON l.manifest_id = m.id
2506
+
WHERE m.did = ? AND m.repository = ? AND m.digest = ?
2507
+
`, did, repository, digest).Scan(&count)
2508
+
return count, err
2509
+
}
2510
+
2511
+
// GetAdvisorSuggestions returns cached AI advisor suggestions for a manifest digest.
2512
+
// Returns sql.ErrNoRows if no cached suggestions exist.
2513
+
func GetAdvisorSuggestions(db DBTX, manifestDigest string) (suggestionsJSON string, createdAt time.Time, err error) {
2514
+
err = db.QueryRow(
2515
+
`SELECT suggestions_json, created_at FROM advisor_suggestions WHERE manifest_digest = ?`,
2516
+
manifestDigest,
2517
+
).Scan(&suggestionsJSON, &createdAt)
2518
+
return
2519
+
}
2520
+
2521
+
// UpsertAdvisorSuggestions caches AI advisor suggestions for a manifest digest.
2522
+
func UpsertAdvisorSuggestions(db DBTX, manifestDigest, suggestionsJSON string) error {
2523
+
_, err := db.Exec(
2524
+
`INSERT OR REPLACE INTO advisor_suggestions (manifest_digest, suggestions_json, created_at) VALUES (?, ?, CURRENT_TIMESTAMP)`,
2525
+
manifestDigest, suggestionsJSON,
2526
+
)
2527
+
return err
2528
+
}
2529
+
2530
+
// UpsertDailyStats inserts or updates daily repository stats
2531
+
func UpsertDailyStats(db DBTX, stats *DailyStats) error {
2532
+
_, err := db.Exec(`
2533
+
INSERT INTO repository_stats_daily (did, repository, date, pull_count, push_count)
2534
+
VALUES (?, ?, ?, ?, ?)
2535
+
ON CONFLICT(did, repository, date) DO UPDATE SET
2536
+
pull_count = excluded.pull_count,
2537
+
push_count = excluded.push_count
2538
+
WHERE excluded.pull_count != repository_stats_daily.pull_count
2539
+
OR excluded.push_count != repository_stats_daily.push_count
2540
+
`, stats.DID, stats.Repository, stats.Date, stats.PullCount, stats.PushCount)
2541
+
return err
2542
+
}
2543
+
2544
+
// GetDailyStats retrieves daily stats for a repository within a date range
2545
+
// startDate and endDate should be in YYYY-MM-DD format
2546
+
func GetDailyStats(db DBTX, did, repository, startDate, endDate string) ([]DailyStats, error) {
2547
+
rows, err := db.Query(`
2548
+
SELECT did, repository, date, pull_count, push_count
2549
+
FROM repository_stats_daily
2550
+
WHERE did = ? AND repository = ? AND date >= ? AND date <= ?
2551
+
ORDER BY date ASC
2552
+
`, did, repository, startDate, endDate)
2553
+
if err != nil {
2554
+
return nil, err
2555
+
}
2556
+
defer rows.Close()
2557
+
2558
+
var stats []DailyStats
2559
+
for rows.Next() {
2560
+
var s DailyStats
2561
+
if err := rows.Scan(&s.DID, &s.Repository, &s.Date, &s.PullCount, &s.PushCount); err != nil {
2562
+
return nil, err
2563
+
}
2564
+
stats = append(stats, s)
2565
+
}
2566
+
return stats, rows.Err()
2567
+
}
+19
pkg/appview/db/schema.sql
+19
pkg/appview/db/schema.sql
···
30
30
config_digest TEXT,
31
31
config_size INTEGER,
32
32
artifact_type TEXT NOT NULL DEFAULT 'container-image', -- container-image, helm-chart, unknown
33
+
subject_digest TEXT, -- digest of the parent manifest (for attestations/referrers)
33
34
created_at TIMESTAMP NOT NULL,
34
35
UNIQUE(did, repository, digest),
35
36
FOREIGN KEY(did) REFERENCES users(did) ON DELETE CASCADE
···
38
39
CREATE INDEX IF NOT EXISTS idx_manifests_created_at ON manifests(created_at DESC);
39
40
CREATE INDEX IF NOT EXISTS idx_manifests_digest ON manifests(digest);
40
41
CREATE INDEX IF NOT EXISTS idx_manifests_artifact_type ON manifests(artifact_type);
42
+
CREATE INDEX IF NOT EXISTS idx_manifests_subject_digest ON manifests(subject_digest);
41
43
42
44
CREATE TABLE IF NOT EXISTS repository_annotations (
43
45
did TEXT NOT NULL,
···
167
169
CREATE INDEX IF NOT EXISTS idx_repository_stats_did ON repository_stats(did);
168
170
CREATE INDEX IF NOT EXISTS idx_repository_stats_pull_count ON repository_stats(pull_count DESC);
169
171
172
+
CREATE TABLE IF NOT EXISTS repository_stats_daily (
173
+
did TEXT NOT NULL,
174
+
repository TEXT NOT NULL,
175
+
date TEXT NOT NULL,
176
+
pull_count INTEGER NOT NULL DEFAULT 0,
177
+
push_count INTEGER NOT NULL DEFAULT 0,
178
+
PRIMARY KEY(did, repository, date),
179
+
FOREIGN KEY(did) REFERENCES users(did) ON DELETE CASCADE
180
+
);
181
+
CREATE INDEX IF NOT EXISTS idx_repo_stats_daily_date ON repository_stats_daily(date DESC);
182
+
170
183
CREATE TABLE IF NOT EXISTS stars (
171
184
starrer_did TEXT NOT NULL,
172
185
owner_did TEXT NOT NULL,
···
273
286
PRIMARY KEY(hold_did, manifest_digest)
274
287
);
275
288
CREATE INDEX IF NOT EXISTS idx_scans_user ON scans(user_did);
289
+
290
+
CREATE TABLE IF NOT EXISTS advisor_suggestions (
291
+
manifest_digest TEXT PRIMARY KEY,
292
+
suggestions_json TEXT NOT NULL,
293
+
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
294
+
);
+6
-5
pkg/appview/handlers/base.go
+6
-5
pkg/appview/handlers/base.go
···
40
40
OAuthStore *db.OAuthStore
41
41
42
42
// Config
43
-
DefaultHoldDID string
44
-
CompanyName string
45
-
Jurisdiction string
46
-
ClientName string // Full name: "AT Container Registry"
47
-
ClientShortName string // Short name: "ATCR"
43
+
DefaultHoldDID string
44
+
CompanyName string
45
+
Jurisdiction string
46
+
ClientName string // Full name: "AT Container Registry"
47
+
ClientShortName string // Short name: "ATCR"
48
+
AIAdvisorEnabled bool // True when Claude API key is configured
48
49
}
+16
-14
pkg/appview/handlers/common.go
+16
-14
pkg/appview/handlers/common.go
···
10
10
11
11
// PageData contains common fields shared across all page templates
12
12
type PageData struct {
13
-
User *db.User // Logged-in user (nil if not logged in)
14
-
Query string // Search query from URL parameter
15
-
RegistryURL string // Docker registry domain (e.g., "buoy.cr")
16
-
SiteURL string // Website domain (e.g., "seamark.dev")
17
-
ClientName string // Brand name for templates (e.g., "AT Container Registry")
18
-
ClientShortName string // Brand name for templates (e.g., "ATCR")
19
-
OciClient string // Preferred OCI client for pull commands (e.g., "docker", "podman")
13
+
User *db.User // Logged-in user (nil if not logged in)
14
+
Query string // Search query from URL parameter
15
+
RegistryURL string // Docker registry domain (e.g., "buoy.cr")
16
+
SiteURL string // Website domain (e.g., "seamark.dev")
17
+
ClientName string // Brand name for templates (e.g., "AT Container Registry")
18
+
ClientShortName string // Brand name for templates (e.g., "ATCR")
19
+
OciClient string // Preferred OCI client for pull commands (e.g., "docker", "podman")
20
+
AIAdvisorEnabled bool // True when AI Image Advisor is available
20
21
}
21
22
22
23
// NewPageData creates a PageData struct with common fields populated from the request
···
27
28
ociClient = user.OciClient
28
29
}
29
30
return PageData{
30
-
User: user,
31
-
Query: r.URL.Query().Get("q"),
32
-
RegistryURL: h.RegistryURL,
33
-
SiteURL: h.SiteURL,
34
-
ClientName: h.ClientName,
35
-
ClientShortName: h.ClientShortName,
36
-
OciClient: ociClient,
31
+
User: user,
32
+
Query: r.URL.Query().Get("q"),
33
+
RegistryURL: h.RegistryURL,
34
+
SiteURL: h.SiteURL,
35
+
ClientName: h.ClientName,
36
+
ClientShortName: h.ClientShortName,
37
+
OciClient: ociClient,
38
+
AIAdvisorEnabled: h.AIAdvisorEnabled,
37
39
}
38
40
}
39
41
+23
-3
pkg/appview/handlers/diff.go
+23
-3
pkg/appview/handlers/diff.go
···
210
210
return
211
211
}
212
212
213
-
fromDigest := r.URL.Query().Get("from")
214
-
toDigest := r.URL.Query().Get("to")
215
-
if fromDigest == "" || toDigest == "" {
213
+
fromParam := r.URL.Query().Get("from")
214
+
toParam := r.URL.Query().Get("to")
215
+
if fromParam == "" || toParam == "" {
216
216
RenderNotFound(w, r, &h.BaseUIHandler)
217
217
return
218
218
}
···
232
232
if owner.Handle != resolvedHandle {
233
233
_ = db.UpdateUserHandle(h.ReadOnlyDB, did, resolvedHandle)
234
234
owner.Handle = resolvedHandle
235
+
}
236
+
237
+
// Resolve from/to params — accept either digests (sha256:...) or tag names
238
+
fromDigest := fromParam
239
+
toDigest := toParam
240
+
if !strings.HasPrefix(fromDigest, "sha256:") {
241
+
tag, err := db.GetTagByName(h.ReadOnlyDB, owner.DID, repo, fromParam)
242
+
if err != nil || tag == nil {
243
+
RenderNotFound(w, r, &h.BaseUIHandler)
244
+
return
245
+
}
246
+
fromDigest = tag.Digest
247
+
}
248
+
if !strings.HasPrefix(toDigest, "sha256:") {
249
+
tag, err := db.GetTagByName(h.ReadOnlyDB, owner.DID, repo, toParam)
250
+
if err != nil || tag == nil {
251
+
RenderNotFound(w, r, &h.BaseUIHandler)
252
+
return
253
+
}
254
+
toDigest = tag.Digest
235
255
}
236
256
237
257
// Fetch both manifests
+2
-2
pkg/appview/handlers/diff_test.go
+2
-2
pkg/appview/handlers/diff_test.go
···
45
45
digest string
46
46
}{
47
47
{"shared", "sha256:base"},
48
-
{"removed", "sha256:old"}, // no command, different digest → -/+
48
+
{"removed", "sha256:old"}, // no command, different digest → -/+
49
49
{"added", "sha256:new1"},
50
-
{"added", "sha256:new2"}, // extra layer in to
50
+
{"added", "sha256:new2"}, // extra layer in to
51
51
}
52
52
53
53
for i, e := range expected {
+24
-3
pkg/appview/handlers/digest_content.go
+24
-3
pkg/appview/handlers/digest_content.go
···
91
91
}
92
92
93
93
w.Header().Set("Content-Type", "text/html")
94
-
if err := h.Templates.ExecuteTemplate(w, "digest-content", data); err != nil {
95
-
slog.Warn("Failed to render digest content", "error", err)
96
-
http.Error(w, err.Error(), http.StatusInternalServerError)
94
+
95
+
// Support rendering individual sections for repo page tabs
96
+
section := r.URL.Query().Get("section")
97
+
switch section {
98
+
case "layers":
99
+
if err := h.Templates.ExecuteTemplate(w, "layers-section", data); err != nil {
100
+
slog.Warn("Failed to render layers section", "error", err)
101
+
http.Error(w, err.Error(), http.StatusInternalServerError)
102
+
}
103
+
case "vulns":
104
+
if err := h.Templates.ExecuteTemplate(w, "vulns-section", data); err != nil {
105
+
slog.Warn("Failed to render vulns section", "error", err)
106
+
http.Error(w, err.Error(), http.StatusInternalServerError)
107
+
}
108
+
case "sbom":
109
+
if err := h.Templates.ExecuteTemplate(w, "sbom-section", data); err != nil {
110
+
slog.Warn("Failed to render sbom section", "error", err)
111
+
http.Error(w, err.Error(), http.StatusInternalServerError)
112
+
}
113
+
default:
114
+
if err := h.Templates.ExecuteTemplate(w, "digest-content", data); err != nil {
115
+
slog.Warn("Failed to render digest content", "error", err)
116
+
http.Error(w, err.Error(), http.StatusInternalServerError)
117
+
}
97
118
}
98
119
}
+754
pkg/appview/handlers/image_advisor.go
+754
pkg/appview/handlers/image_advisor.go
···
1
+
package handlers
2
+
3
+
import (
4
+
"bytes"
5
+
"context"
6
+
"encoding/json"
7
+
"fmt"
8
+
"io"
9
+
"log/slog"
10
+
"net/http"
11
+
"net/url"
12
+
"sort"
13
+
"strings"
14
+
"time"
15
+
16
+
"atcr.io/pkg/appview/db"
17
+
"atcr.io/pkg/appview/middleware"
18
+
"atcr.io/pkg/appview/storage"
19
+
"atcr.io/pkg/atproto"
20
+
"github.com/go-chi/chi/v5"
21
+
)
22
+
23
+
// ImageAdvisorHandler returns AI-powered suggestions for improving a container image.
24
+
// Returns an HTML fragment (image-advisor-results partial) via HTMX.
25
+
type ImageAdvisorHandler struct {
26
+
BaseUIHandler
27
+
ClaudeAPIKey string
28
+
}
29
+
30
+
type advisorSuggestion struct {
31
+
Action string `json:"action"`
32
+
Category string `json:"category"`
33
+
Impact string `json:"impact"`
34
+
Effort string `json:"effort"`
35
+
CVEsFixed int `json:"cves_fixed"`
36
+
SizeSavedMB int `json:"size_saved_mb"`
37
+
Detail string `json:"detail"`
38
+
}
39
+
40
+
type imageAdvisorData struct {
41
+
Suggestions []advisorSuggestion
42
+
Error string
43
+
}
44
+
45
+
// OCI config types for full image config parsing
46
+
type advisorOCIConfig struct {
47
+
Architecture string `json:"architecture"`
48
+
OS string `json:"os"`
49
+
Config advisorOCIContainerConfig `json:"config"`
50
+
History []advisorOCIHistory `json:"history"`
51
+
}
52
+
53
+
type advisorOCIContainerConfig struct {
54
+
Env []string `json:"Env"`
55
+
Cmd []string `json:"Cmd"`
56
+
Entrypoint []string `json:"Entrypoint"`
57
+
WorkingDir string `json:"WorkingDir"`
58
+
ExposedPorts map[string]struct{} `json:"ExposedPorts"`
59
+
Labels map[string]string `json:"Labels"`
60
+
User string `json:"User"`
61
+
}
62
+
63
+
type advisorOCIHistory struct {
64
+
CreatedBy string `json:"created_by"`
65
+
EmptyLayer bool `json:"empty_layer"`
66
+
}
67
+
68
+
// SPDX types for SBOM parsing
69
+
type advisorSPDX struct {
70
+
Packages []advisorSPDXPackage `json:"packages"`
71
+
}
72
+
73
+
type advisorSPDXPackage struct {
74
+
SPDXID string `json:"SPDXID"`
75
+
Name string `json:"name"`
76
+
VersionInfo string `json:"versionInfo"`
77
+
Supplier string `json:"supplier"`
78
+
}
79
+
80
+
// advisorReportData holds all fetched data for prompt generation
81
+
type advisorReportData struct {
82
+
Handle string
83
+
Repository string
84
+
Digest string
85
+
Platform string
86
+
87
+
Config *advisorOCIConfig
88
+
Layers []db.Layer
89
+
ScanRecord *atproto.ScanRecord
90
+
VulnReport *grypeReport
91
+
SBOM *advisorSPDX
92
+
}
93
+
94
+
func (h *ImageAdvisorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
95
+
if h.ClaudeAPIKey == "" {
96
+
h.renderResults(w, imageAdvisorData{Error: "AI advisor is not configured"})
97
+
return
98
+
}
99
+
100
+
identifier := chi.URLParam(r, "handle")
101
+
wildcard := strings.TrimPrefix(chi.URLParam(r, "*"), "/")
102
+
digest := r.URL.Query().Get("digest")
103
+
104
+
if wildcard == "" || digest == "" {
105
+
h.renderResults(w, imageAdvisorData{Error: "Missing required parameters"})
106
+
return
107
+
}
108
+
109
+
// Verify the logged-in user owns this image
110
+
user := middleware.GetUser(r)
111
+
if user == nil {
112
+
h.renderResults(w, imageAdvisorData{Error: "Login required"})
113
+
return
114
+
}
115
+
116
+
// Check billing access
117
+
if h.BillingManager != nil && !h.BillingManager.HasAIAdvisor(user.DID) {
118
+
h.renderResults(w, imageAdvisorData{Error: "upgrade_required"})
119
+
return
120
+
}
121
+
122
+
// Check user preference
123
+
client := atproto.NewClientWithSessionProvider(user.PDSEndpoint, user.DID, h.Refresher)
124
+
profile, err := storage.GetProfile(r.Context(), client)
125
+
if err == nil && profile != nil && profile.AIAdvisorEnabled != nil && !*profile.AIAdvisorEnabled {
126
+
h.renderResults(w, imageAdvisorData{Error: "AI advisor is disabled in your settings"})
127
+
return
128
+
}
129
+
130
+
// Resolve identity
131
+
did, resolvedHandle, _, err := atproto.ResolveIdentity(r.Context(), identifier)
132
+
if err != nil {
133
+
h.renderResults(w, imageAdvisorData{Error: "Could not resolve identity"})
134
+
return
135
+
}
136
+
137
+
if user.DID != did {
138
+
h.renderResults(w, imageAdvisorData{Error: "You can only generate suggestions for your own images"})
139
+
return
140
+
}
141
+
142
+
// Fetch manifest
143
+
manifest, err := db.GetManifestDetail(h.ReadOnlyDB, did, wildcard, digest)
144
+
if err != nil {
145
+
h.renderResults(w, imageAdvisorData{Error: "Manifest not found"})
146
+
return
147
+
}
148
+
149
+
// For manifest lists, the caller should pass a platform-specific child digest.
150
+
// If they somehow pass the list digest itself, resolve to the first platform.
151
+
if manifest.IsManifestList {
152
+
if len(manifest.Platforms) == 0 {
153
+
h.renderResults(w, imageAdvisorData{Error: "No platforms found in manifest list"})
154
+
return
155
+
}
156
+
childDigest := manifest.Platforms[0].Digest
157
+
childManifest, err := db.GetManifestDetail(h.ReadOnlyDB, did, wildcard, childDigest)
158
+
if err != nil {
159
+
h.renderResults(w, imageAdvisorData{Error: "Could not resolve platform manifest"})
160
+
return
161
+
}
162
+
manifest = childManifest
163
+
digest = childDigest
164
+
}
165
+
166
+
// Check cache first
167
+
if cachedJSON, _, err := db.GetAdvisorSuggestions(h.ReadOnlyDB, digest); err == nil {
168
+
suggestions, err := parseAdvisorResponse(cachedJSON)
169
+
if err == nil {
170
+
slog.Debug("Serving cached advisor suggestions", "digest", digest)
171
+
h.renderResults(w, imageAdvisorData{Suggestions: suggestions})
172
+
return
173
+
}
174
+
slog.Debug("Cached advisor data unparseable, fetching fresh", "digest", digest)
175
+
}
176
+
177
+
// Resolve hold
178
+
hold, err := ResolveHold(r.Context(), h.ReadOnlyDB, manifest.HoldEndpoint)
179
+
if err != nil {
180
+
h.renderResults(w, imageAdvisorData{Error: "Could not resolve hold endpoint"})
181
+
return
182
+
}
183
+
184
+
// Build report data
185
+
report := &advisorReportData{
186
+
Handle: resolvedHandle,
187
+
Repository: wildcard,
188
+
Digest: digest,
189
+
}
190
+
191
+
ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
192
+
defer cancel()
193
+
194
+
// Fetch full OCI image config
195
+
config, err := fetchAdvisorImageConfig(ctx, hold.URL, digest)
196
+
if err != nil {
197
+
slog.Debug("Failed to fetch image config for advisor", "error", err)
198
+
} else {
199
+
report.Config = config
200
+
report.Platform = config.OS + "/" + config.Architecture
201
+
}
202
+
203
+
// Fetch layers for size info
204
+
dbLayers, err := db.GetLayersForManifest(h.ReadOnlyDB, manifest.ID)
205
+
if err != nil {
206
+
slog.Debug("Failed to fetch layers for advisor", "error", err)
207
+
}
208
+
report.Layers = dbLayers
209
+
210
+
// Fetch scan data (scan record + vuln blob + SBOM blob)
211
+
scanRecord, vulnReport, sbom := fetchAdvisorScanData(ctx, hold.URL, hold.DID, digest)
212
+
report.ScanRecord = scanRecord
213
+
report.VulnReport = vulnReport
214
+
report.SBOM = sbom
215
+
216
+
// Generate prompt
217
+
var promptBuf strings.Builder
218
+
generateAdvisorPrompt(&promptBuf, report)
219
+
220
+
// Call Claude API
221
+
responseText, err := callClaudeAPI(ctx, h.ClaudeAPIKey, promptBuf.String())
222
+
if err != nil {
223
+
slog.Warn("Claude API call failed", "error", err)
224
+
h.renderResults(w, imageAdvisorData{Error: "AI service request failed: " + err.Error()})
225
+
return
226
+
}
227
+
228
+
// Parse JSON response
229
+
suggestions, err := parseAdvisorResponse(responseText)
230
+
if err != nil {
231
+
slog.Warn("Failed to parse advisor response", "error", err, "response", responseText)
232
+
h.renderResults(w, imageAdvisorData{Error: "Failed to parse AI response"})
233
+
return
234
+
}
235
+
236
+
// Cache the response
237
+
if err := db.UpsertAdvisorSuggestions(h.DB, digest, responseText); err != nil {
238
+
slog.Warn("Failed to cache advisor suggestions", "error", err)
239
+
}
240
+
241
+
h.renderResults(w, imageAdvisorData{Suggestions: suggestions})
242
+
}
243
+
244
+
func (h *ImageAdvisorHandler) renderResults(w http.ResponseWriter, data imageAdvisorData) {
245
+
w.Header().Set("Content-Type", "text/html")
246
+
if err := h.Templates.ExecuteTemplate(w, "image-advisor-results", data); err != nil {
247
+
slog.Warn("Failed to render image advisor results", "error", err)
248
+
}
249
+
}
250
+
251
+
// fetchAdvisorImageConfig fetches the full OCI image config from the hold.
252
+
func fetchAdvisorImageConfig(ctx context.Context, holdURL, manifestDigest string) (*advisorOCIConfig, error) {
253
+
reqURL := fmt.Sprintf("%s%s?digest=%s",
254
+
strings.TrimSuffix(holdURL, "/"),
255
+
atproto.HoldGetImageConfig,
256
+
url.QueryEscape(manifestDigest),
257
+
)
258
+
259
+
req, err := http.NewRequestWithContext(ctx, "GET", reqURL, nil)
260
+
if err != nil {
261
+
return nil, err
262
+
}
263
+
264
+
resp, err := http.DefaultClient.Do(req)
265
+
if err != nil {
266
+
return nil, err
267
+
}
268
+
defer resp.Body.Close()
269
+
270
+
if resp.StatusCode != http.StatusOK {
271
+
return nil, fmt.Errorf("hold returned %d", resp.StatusCode)
272
+
}
273
+
274
+
var record struct {
275
+
ConfigJSON string `json:"configJson"`
276
+
}
277
+
if err := json.NewDecoder(resp.Body).Decode(&record); err != nil {
278
+
return nil, err
279
+
}
280
+
281
+
var config advisorOCIConfig
282
+
if err := json.Unmarshal([]byte(record.ConfigJSON), &config); err != nil {
283
+
return nil, err
284
+
}
285
+
return &config, nil
286
+
}
287
+
288
+
// fetchAdvisorScanData fetches the scan record plus vuln and SBOM blobs.
289
+
func fetchAdvisorScanData(ctx context.Context, holdURL, holdDID, digest string) (*atproto.ScanRecord, *grypeReport, *advisorSPDX) {
290
+
rkey := strings.TrimPrefix(digest, "sha256:")
291
+
292
+
scanURL := fmt.Sprintf("%s/xrpc/com.atproto.repo.getRecord?repo=%s&collection=%s&rkey=%s",
293
+
strings.TrimSuffix(holdURL, "/"),
294
+
url.QueryEscape(holdDID),
295
+
url.QueryEscape(atproto.ScanCollection),
296
+
url.QueryEscape(rkey),
297
+
)
298
+
299
+
req, err := http.NewRequestWithContext(ctx, "GET", scanURL, nil)
300
+
if err != nil {
301
+
return nil, nil, nil
302
+
}
303
+
304
+
resp, err := http.DefaultClient.Do(req)
305
+
if err != nil {
306
+
return nil, nil, nil
307
+
}
308
+
defer resp.Body.Close()
309
+
310
+
if resp.StatusCode != http.StatusOK {
311
+
return nil, nil, nil
312
+
}
313
+
314
+
var envelope struct {
315
+
Value json.RawMessage `json:"value"`
316
+
}
317
+
if err := json.NewDecoder(resp.Body).Decode(&envelope); err != nil {
318
+
return nil, nil, nil
319
+
}
320
+
321
+
var scanRecord atproto.ScanRecord
322
+
if err := json.Unmarshal(envelope.Value, &scanRecord); err != nil {
323
+
return nil, nil, nil
324
+
}
325
+
326
+
// Fetch vuln report blob
327
+
var vulnReport *grypeReport
328
+
if scanRecord.VulnReportBlob != nil && scanRecord.VulnReportBlob.Ref.String() != "" {
329
+
vulnReport = fetchAdvisorBlob[grypeReport](ctx, holdURL, holdDID, scanRecord.VulnReportBlob.Ref.String())
330
+
}
331
+
332
+
// Fetch SBOM blob
333
+
var sbom *advisorSPDX
334
+
if scanRecord.SbomBlob != nil && scanRecord.SbomBlob.Ref.String() != "" {
335
+
sbom = fetchAdvisorBlob[advisorSPDX](ctx, holdURL, holdDID, scanRecord.SbomBlob.Ref.String())
336
+
}
337
+
338
+
return &scanRecord, vulnReport, sbom
339
+
}
340
+
341
+
// fetchAdvisorBlob fetches and JSON-decodes a blob from the hold.
342
+
func fetchAdvisorBlob[T any](ctx context.Context, holdURL, holdDID, cid string) *T {
343
+
blobURL := fmt.Sprintf("%s/xrpc/com.atproto.sync.getBlob?did=%s&cid=%s",
344
+
strings.TrimSuffix(holdURL, "/"),
345
+
url.QueryEscape(holdDID),
346
+
url.QueryEscape(cid),
347
+
)
348
+
349
+
req, err := http.NewRequestWithContext(ctx, "GET", blobURL, nil)
350
+
if err != nil {
351
+
return nil
352
+
}
353
+
354
+
resp, err := http.DefaultClient.Do(req)
355
+
if err != nil {
356
+
return nil
357
+
}
358
+
defer resp.Body.Close()
359
+
360
+
if resp.StatusCode != http.StatusOK {
361
+
return nil
362
+
}
363
+
364
+
var result T
365
+
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
366
+
return nil
367
+
}
368
+
return &result
369
+
}
370
+
371
+
// generateAdvisorPrompt writes the system+data prompt for the AI advisor.
372
+
func generateAdvisorPrompt(w io.Writer, r *advisorReportData) {
373
+
// Data block
374
+
ref := r.Handle + "/" + r.Repository
375
+
totalSize := int64(0)
376
+
for _, l := range r.Layers {
377
+
totalSize += l.Size
378
+
}
379
+
380
+
fmt.Fprintf(w, "image: %s\ndigest: %s\n", ref, r.Digest)
381
+
if r.Platform != "" {
382
+
fmt.Fprintf(w, "platform: %s\n", r.Platform)
383
+
}
384
+
fmt.Fprintf(w, "total_size: %s\nlayers: %d\n", advisorHumanSize(totalSize), len(r.Layers))
385
+
386
+
if r.Config != nil {
387
+
c := r.Config.Config
388
+
user := c.User
389
+
if user == "" {
390
+
user = "root"
391
+
}
392
+
fmt.Fprintf(w, "user: %s\n", user)
393
+
if c.WorkingDir != "" {
394
+
fmt.Fprintf(w, "workdir: %s\n", c.WorkingDir)
395
+
}
396
+
if len(c.Entrypoint) > 0 {
397
+
fmt.Fprintf(w, "entrypoint: %s\n", strings.Join(c.Entrypoint, " "))
398
+
}
399
+
if len(c.Cmd) > 0 {
400
+
fmt.Fprintf(w, "cmd: %s\n", strings.Join(c.Cmd, " "))
401
+
}
402
+
if len(c.ExposedPorts) > 0 {
403
+
ports := make([]string, 0, len(c.ExposedPorts))
404
+
for p := range c.ExposedPorts {
405
+
ports = append(ports, p)
406
+
}
407
+
fmt.Fprintf(w, "ports: %s\n", strings.Join(ports, ","))
408
+
}
409
+
if len(c.Env) > 0 {
410
+
fmt.Fprintln(w, "env:")
411
+
for _, env := range c.Env {
412
+
parts := strings.SplitN(env, "=", 2)
413
+
if advisorShouldRedact(parts[0]) {
414
+
fmt.Fprintf(w, " - %s=[REDACTED]\n", parts[0])
415
+
} else {
416
+
fmt.Fprintf(w, " - %s\n", env)
417
+
}
418
+
}
419
+
}
420
+
if len(c.Labels) > 0 {
421
+
fmt.Fprintln(w, "labels:")
422
+
keys := make([]string, 0, len(c.Labels))
423
+
for k := range c.Labels {
424
+
keys = append(keys, k)
425
+
}
426
+
sort.Strings(keys)
427
+
for _, k := range keys {
428
+
v := c.Labels[k]
429
+
if len(v) > 80 {
430
+
v = v[:77] + "..."
431
+
}
432
+
fmt.Fprintf(w, " %s: %s\n", k, v)
433
+
}
434
+
}
435
+
436
+
// History with layer sizes
437
+
fmt.Fprintln(w, "history:")
438
+
layerIdx := 0
439
+
for _, h := range r.Config.History {
440
+
cmd := advisorCleanCommand(h.CreatedBy)
441
+
if len(cmd) > 100 {
442
+
cmd = cmd[:97] + "..."
443
+
}
444
+
if !h.EmptyLayer && layerIdx < len(r.Layers) {
445
+
fmt.Fprintf(w, " - [%s] %s\n", advisorHumanSize(r.Layers[layerIdx].Size), cmd)
446
+
layerIdx++
447
+
} else {
448
+
fmt.Fprintf(w, " - %s\n", cmd)
449
+
}
450
+
}
451
+
}
452
+
453
+
// Vulnerability summary
454
+
if r.ScanRecord != nil {
455
+
sr := r.ScanRecord
456
+
fmt.Fprintf(w, "vulns: {critical: %d, high: %d, medium: %d, low: %d, total: %d}\n",
457
+
sr.Critical, sr.High, sr.Medium, sr.Low, sr.Total)
458
+
}
459
+
460
+
// Fixable critical/high vulns
461
+
if r.VulnReport != nil {
462
+
type pkgInfo struct {
463
+
version string
464
+
typ string
465
+
fixes map[string]bool
466
+
cves []string
467
+
maxSev int
468
+
}
469
+
pkgs := map[string]*pkgInfo{}
470
+
471
+
for _, m := range r.VulnReport.Matches {
472
+
sev := m.Vulnerability.Metadata.Severity
473
+
if sev != "Critical" && sev != "High" {
474
+
continue
475
+
}
476
+
key := m.Package.Name
477
+
p, ok := pkgs[key]
478
+
if !ok {
479
+
p = &pkgInfo{version: m.Package.Version, typ: m.Package.Type, fixes: map[string]bool{}, maxSev: 5}
480
+
pkgs[key] = p
481
+
}
482
+
p.cves = append(p.cves, m.Vulnerability.ID)
483
+
for _, f := range m.Vulnerability.Fix.Versions {
484
+
p.fixes[f] = true
485
+
}
486
+
if s := advisorSeverityRank(sev); s < p.maxSev {
487
+
p.maxSev = s
488
+
}
489
+
}
490
+
491
+
if len(pkgs) > 0 {
492
+
fmt.Fprintln(w, "fixable_critical_high:")
493
+
type entry struct {
494
+
name string
495
+
info *pkgInfo
496
+
}
497
+
sorted := make([]entry, 0, len(pkgs))
498
+
for n, p := range pkgs {
499
+
sorted = append(sorted, entry{n, p})
500
+
}
501
+
sort.Slice(sorted, func(i, j int) bool {
502
+
if sorted[i].info.maxSev != sorted[j].info.maxSev {
503
+
return sorted[i].info.maxSev < sorted[j].info.maxSev
504
+
}
505
+
return len(sorted[i].info.cves) > len(sorted[j].info.cves)
506
+
})
507
+
508
+
for _, e := range sorted {
509
+
fixes := make([]string, 0, len(e.info.fixes))
510
+
for f := range e.info.fixes {
511
+
fixes = append(fixes, f)
512
+
}
513
+
sort.Strings(fixes)
514
+
fmt.Fprintf(w, " - pkg: %s@%s (%s) cves: %d fix: %s\n",
515
+
e.name, e.info.version, e.info.typ, len(e.info.cves), strings.Join(fixes, ","))
516
+
}
517
+
}
518
+
519
+
// Unfixable counts
520
+
unfixable := map[string]int{}
521
+
for _, m := range r.VulnReport.Matches {
522
+
if len(m.Vulnerability.Fix.Versions) == 0 {
523
+
unfixable[m.Vulnerability.Metadata.Severity]++
524
+
}
525
+
}
526
+
if len(unfixable) > 0 {
527
+
fmt.Fprintf(w, "unfixable:")
528
+
for _, sev := range []string{"Critical", "High", "Medium", "Low", "Negligible", "Unknown"} {
529
+
if c, ok := unfixable[sev]; ok {
530
+
fmt.Fprintf(w, " %s=%d", strings.ToLower(sev), c)
531
+
}
532
+
}
533
+
fmt.Fprintln(w)
534
+
}
535
+
}
536
+
537
+
// SBOM summary
538
+
if r.SBOM != nil {
539
+
typeCounts := map[string]int{}
540
+
total := 0
541
+
for _, p := range r.SBOM.Packages {
542
+
if strings.HasPrefix(p.SPDXID, "SPDXRef-DocumentRoot") || p.SPDXID == "SPDXRef-DOCUMENT" {
543
+
continue
544
+
}
545
+
total++
546
+
pkgType := advisorExtractPackageType(p.Supplier)
547
+
if pkgType == "" {
548
+
pkgType = "other"
549
+
}
550
+
typeCounts[pkgType]++
551
+
}
552
+
fmt.Fprintf(w, "sbom_packages: %d", total)
553
+
for t, c := range typeCounts {
554
+
fmt.Fprintf(w, " %s=%d", t, c)
555
+
}
556
+
fmt.Fprintln(w)
557
+
558
+
if r.VulnReport != nil {
559
+
vulnPkgs := map[string]int{}
560
+
for _, m := range r.VulnReport.Matches {
561
+
vulnPkgs[m.Package.Name]++
562
+
}
563
+
type pv struct {
564
+
name string
565
+
count int
566
+
}
567
+
sorted := make([]pv, 0, len(vulnPkgs))
568
+
for n, c := range vulnPkgs {
569
+
sorted = append(sorted, pv{n, c})
570
+
}
571
+
sort.Slice(sorted, func(i, j int) bool { return sorted[i].count > sorted[j].count })
572
+
if len(sorted) > 10 {
573
+
sorted = sorted[:10]
574
+
}
575
+
fmt.Fprintln(w, "top_vulnerable_packages:")
576
+
for _, p := range sorted {
577
+
fmt.Fprintf(w, " - %s: %d\n", p.name, p.count)
578
+
}
579
+
}
580
+
}
581
+
}
582
+
583
+
// callClaudeAPI sends the prompt to Claude Haiku using tool use and returns the structured JSON.
584
+
func callClaudeAPI(ctx context.Context, apiKey, prompt string) (string, error) {
585
+
reqBody := map[string]any{
586
+
"model": "claude-haiku-4-5-20251001",
587
+
"max_tokens": 2048,
588
+
"system": "Analyze the container image data. Provide actionable suggestions sorted by impact (highest first).",
589
+
"tools": []map[string]any{{
590
+
"name": "suggest_fixes",
591
+
"description": "Return actionable suggestions for improving a container image, sorted by impact.",
592
+
"input_schema": map[string]any{
593
+
"type": "object",
594
+
"properties": map[string]any{
595
+
"suggestions": map[string]any{
596
+
"type": "array",
597
+
"items": map[string]any{
598
+
"type": "object",
599
+
"properties": map[string]any{
600
+
"action": map[string]any{"type": "string", "description": "Specific actionable step"},
601
+
"category": map[string]any{"type": "string", "enum": []string{"vulnerability", "size", "cache", "security", "best-practice"}},
602
+
"impact": map[string]any{"type": "string", "enum": []string{"high", "medium", "low"}},
603
+
"effort": map[string]any{"type": "string", "enum": []string{"low", "medium", "high"}},
604
+
"cves_fixed": map[string]any{"type": "integer", "description": "Number of CVEs fixed, or 0"},
605
+
"size_saved_mb": map[string]any{"type": "integer", "description": "Estimated MB saved, or 0"},
606
+
"detail": map[string]any{"type": "string", "description": "One sentence with specific package names, versions, or commands"},
607
+
},
608
+
"required": []string{"action", "category", "impact", "effort", "cves_fixed", "size_saved_mb", "detail"},
609
+
},
610
+
},
611
+
},
612
+
"required": []string{"suggestions"},
613
+
},
614
+
}},
615
+
"tool_choice": map[string]any{"type": "tool", "name": "suggest_fixes"},
616
+
"messages": []map[string]string{
617
+
{"role": "user", "content": prompt},
618
+
},
619
+
}
620
+
621
+
bodyBytes, err := json.Marshal(reqBody)
622
+
if err != nil {
623
+
return "", fmt.Errorf("marshal request: %w", err)
624
+
}
625
+
626
+
req, err := http.NewRequestWithContext(ctx, "POST", "https://api.anthropic.com/v1/messages", bytes.NewReader(bodyBytes))
627
+
if err != nil {
628
+
return "", fmt.Errorf("build request: %w", err)
629
+
}
630
+
req.Header.Set("x-api-key", apiKey)
631
+
req.Header.Set("anthropic-version", "2023-06-01")
632
+
req.Header.Set("content-type", "application/json")
633
+
634
+
resp, err := http.DefaultClient.Do(req)
635
+
if err != nil {
636
+
return "", fmt.Errorf("API request: %w", err)
637
+
}
638
+
defer resp.Body.Close()
639
+
640
+
if resp.StatusCode != http.StatusOK {
641
+
body, _ := io.ReadAll(resp.Body)
642
+
return "", fmt.Errorf("API returned %d: %s", resp.StatusCode, string(body))
643
+
}
644
+
645
+
var apiResp struct {
646
+
Content []struct {
647
+
Type string `json:"type"`
648
+
Name string `json:"name"`
649
+
Input json.RawMessage `json:"input"`
650
+
} `json:"content"`
651
+
}
652
+
if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
653
+
return "", fmt.Errorf("parse response: %w", err)
654
+
}
655
+
656
+
for _, c := range apiResp.Content {
657
+
if c.Type == "tool_use" && c.Name == "suggest_fixes" {
658
+
return string(c.Input), nil
659
+
}
660
+
}
661
+
return "", fmt.Errorf("no tool_use content in response")
662
+
}
663
+
664
+
// parseAdvisorResponse parses the JSON suggestions (from API or cache) into suggestions.
665
+
func parseAdvisorResponse(jsonStr string) ([]advisorSuggestion, error) {
666
+
var result struct {
667
+
Suggestions []advisorSuggestion `json:"suggestions"`
668
+
}
669
+
if err := json.Unmarshal([]byte(jsonStr), &result); err != nil {
670
+
return nil, err
671
+
}
672
+
return result.Suggestions, nil
673
+
}
674
+
675
+
// Prompt helper functions
676
+
677
+
func advisorHumanSize(bytes int64) string {
678
+
const (
679
+
KB = 1024
680
+
MB = 1024 * KB
681
+
GB = 1024 * MB
682
+
)
683
+
switch {
684
+
case bytes >= GB:
685
+
return fmt.Sprintf("%.1f GB", float64(bytes)/float64(GB))
686
+
case bytes >= MB:
687
+
return fmt.Sprintf("%.1f MB", float64(bytes)/float64(MB))
688
+
case bytes >= KB:
689
+
return fmt.Sprintf("%.1f KB", float64(bytes)/float64(KB))
690
+
default:
691
+
return fmt.Sprintf("%d B", bytes)
692
+
}
693
+
}
694
+
695
+
func advisorCleanCommand(cmd string) string {
696
+
cmd = strings.TrimPrefix(cmd, "/bin/sh -c ")
697
+
cmd = strings.TrimPrefix(cmd, "#(nop) ")
698
+
return strings.TrimSpace(cmd)
699
+
}
700
+
701
+
func advisorShouldRedact(envName string) bool {
702
+
upper := strings.ToUpper(envName)
703
+
for _, suffix := range []string{"_KEY", "_SECRET", "_PASSWORD", "_TOKEN", "_CREDENTIALS", "_API_KEY"} {
704
+
if strings.HasSuffix(upper, suffix) {
705
+
return true
706
+
}
707
+
}
708
+
return false
709
+
}
710
+
711
+
func advisorSeverityRank(s string) int {
712
+
switch s {
713
+
case "Critical":
714
+
return 0
715
+
case "High":
716
+
return 1
717
+
case "Medium":
718
+
return 2
719
+
case "Low":
720
+
return 3
721
+
case "Negligible":
722
+
return 4
723
+
default:
724
+
return 5
725
+
}
726
+
}
727
+
728
+
func advisorExtractPackageType(supplier string) string {
729
+
s := strings.ToLower(supplier)
730
+
switch {
731
+
case strings.Contains(s, "npmjs") || strings.Contains(s, "npm"):
732
+
return "npm"
733
+
case strings.Contains(s, "pypi") || strings.Contains(s, "python"):
734
+
return "python"
735
+
case strings.Contains(s, "rubygems"):
736
+
return "gem"
737
+
case strings.Contains(s, "golang") || strings.Contains(s, "go"):
738
+
return "go"
739
+
case strings.Contains(s, "debian") || strings.Contains(s, "ubuntu"):
740
+
return "deb"
741
+
case strings.Contains(s, "alpine"):
742
+
return "apk"
743
+
case strings.Contains(s, "redhat") || strings.Contains(s, "fedora") || strings.Contains(s, "centos"):
744
+
return "rpm"
745
+
case strings.Contains(s, "maven") || strings.Contains(s, "java"):
746
+
return "java"
747
+
case strings.Contains(s, "nuget") || strings.Contains(s, ".net"):
748
+
return "nuget"
749
+
case strings.Contains(s, "cargo") || strings.Contains(s, "rust"):
750
+
return "rust"
751
+
default:
752
+
return ""
753
+
}
754
+
}
+153
-17
pkg/appview/handlers/repository.go
+153
-17
pkg/appview/handlers/repository.go
···
12
12
"time"
13
13
14
14
"atcr.io/pkg/appview/db"
15
+
"atcr.io/pkg/appview/holdclient"
15
16
"atcr.io/pkg/appview/middleware"
16
17
"atcr.io/pkg/appview/readme"
18
+
"atcr.io/pkg/appview/storage"
17
19
"atcr.io/pkg/atproto"
18
20
"github.com/go-chi/chi/v5"
19
21
)
22
+
23
+
// SelectedTagData holds all data for the currently selected tag on the repo page.
24
+
type SelectedTagData struct {
25
+
Info *db.TagWithPlatforms
26
+
LayerCount int
27
+
CompressedSize int64 // total across all platforms
28
+
ScanBatchParams []template.HTML
29
+
}
20
30
21
31
// RepositoryPageHandler handles the public repository page
22
32
type RepositoryPageHandler struct {
···
62
72
return
63
73
}
64
74
65
-
// Fetch latest tag for pull command
66
-
latestTag, err := db.GetLatestTag(h.ReadOnlyDB, owner.DID, repository)
75
+
// Fetch all tag names for the selector dropdown
76
+
allTags, err := db.GetAllTagNames(h.ReadOnlyDB, owner.DID, repository)
67
77
if err != nil {
68
-
http.Error(w, err.Error(), http.StatusInternalServerError)
69
-
return
78
+
slog.Warn("Failed to fetch tag names", "error", err)
70
79
}
71
80
72
-
// Determine artifact type from latest tag
73
-
artifactType := "container-image"
74
-
latestTagName := ""
75
-
if latestTag != nil {
76
-
latestTagName = latestTag.Tag
77
-
artifactType = latestTag.ArtifactType
81
+
// Determine which tag to show
82
+
selectedTagName := r.URL.Query().Get("tag")
83
+
if selectedTagName == "" {
84
+
// Default: "latest" if it exists, otherwise most recent
85
+
for _, t := range allTags {
86
+
if t == "latest" {
87
+
selectedTagName = "latest"
88
+
break
89
+
}
90
+
}
91
+
if selectedTagName == "" && len(allTags) > 0 {
92
+
selectedTagName = allTags[0] // most recent (already sorted DESC)
93
+
}
94
+
}
95
+
96
+
// Fetch the selected tag's full data
97
+
var selectedTag *SelectedTagData
98
+
var artifactType = "container-image"
99
+
if selectedTagName != "" {
100
+
tagData, err := db.GetTagByName(h.ReadOnlyDB, owner.DID, repository, selectedTagName)
101
+
if err != nil {
102
+
slog.Warn("Failed to fetch selected tag", "error", err, "tag", selectedTagName)
103
+
}
104
+
if tagData != nil {
105
+
artifactType = tagData.ArtifactType
106
+
107
+
// Ensure single-arch tags have a one-element Platforms slice
108
+
platforms := tagData.Platforms
109
+
if len(platforms) == 0 {
110
+
platforms = []db.PlatformInfo{{
111
+
Digest: tagData.Digest,
112
+
HoldEndpoint: tagData.HoldEndpoint,
113
+
CompressedSize: tagData.CompressedSize,
114
+
}}
115
+
}
116
+
tagData.Platforms = platforms
117
+
118
+
// Compute total compressed size across all platforms
119
+
var totalSize int64
120
+
if tagData.IsMultiArch {
121
+
for _, p := range platforms {
122
+
totalSize += p.CompressedSize
123
+
}
124
+
} else {
125
+
totalSize = tagData.CompressedSize
126
+
}
127
+
128
+
// Get layer count from image config (includes empty layers)
129
+
layerCountDigest := tagData.Digest
130
+
if tagData.IsMultiArch && len(platforms) > 0 && platforms[0].Digest != "" {
131
+
layerCountDigest = platforms[0].Digest
132
+
}
133
+
var layerCount int
134
+
holdEndpoint := platforms[0].HoldEndpoint
135
+
hold, holdErr := ResolveHold(r.Context(), h.ReadOnlyDB, holdEndpoint)
136
+
if holdErr == nil {
137
+
config, cfgErr := holdclient.FetchImageConfig(r.Context(), hold.URL, layerCountDigest)
138
+
if cfgErr == nil {
139
+
layerCount = len(config.History)
140
+
} else {
141
+
slog.Warn("Failed to fetch image config for layer count", "error", cfgErr)
142
+
}
143
+
}
144
+
// Fall back to DB count (non-empty layers only) if hold unavailable
145
+
if layerCount == 0 {
146
+
layerCount, err = db.GetLayerCountForManifest(h.ReadOnlyDB, owner.DID, repository, layerCountDigest)
147
+
if err != nil {
148
+
slog.Warn("Failed to fetch layer count", "error", err)
149
+
}
150
+
}
151
+
152
+
// Build scan batch params for first platform only (summary card)
153
+
scanBatchParams := buildScanBatchParams(platforms[:1])
154
+
155
+
selectedTag = &SelectedTagData{
156
+
Info: tagData,
157
+
LayerCount: layerCount,
158
+
CompressedSize: totalSize,
159
+
ScanBatchParams: scanBatchParams,
160
+
}
161
+
}
78
162
}
79
163
80
164
// Create repository summary
···
97
181
repo.Version = metadata["org.opencontainers.image.version"]
98
182
}
99
183
100
-
// Fetch star count
184
+
// Fetch stats
101
185
stats, err := db.GetRepositoryStats(h.ReadOnlyDB, owner.DID, repository)
102
186
if err != nil {
103
187
slog.Warn("Failed to fetch repository stats", "error", err)
104
188
stats = &db.RepositoryStats{StarCount: 0}
189
+
}
190
+
191
+
tagCount, err := db.CountTags(h.ReadOnlyDB, owner.DID, repository)
192
+
if err != nil {
193
+
slog.Warn("Failed to fetch tag count", "error", err)
105
194
}
106
195
107
196
// Check if current user has starred this repo
···
193
282
Meta *PageMeta
194
283
Owner *db.User
195
284
Repository *db.Repository
196
-
LatestTag string
197
-
StarCount int
198
-
PullCount int
285
+
AllTags []string
286
+
SelectedTag *SelectedTagData
287
+
Stats *db.RepositoryStats
288
+
TagCount int
199
289
IsStarred bool
200
290
IsOwner bool
201
291
ReadmeHTML template.HTML
···
206
296
Meta: meta,
207
297
Owner: owner,
208
298
Repository: repo,
209
-
LatestTag: latestTagName,
210
-
StarCount: stats.StarCount,
211
-
PullCount: stats.PullCount,
299
+
AllTags: allTags,
300
+
SelectedTag: selectedTag,
301
+
Stats: stats,
302
+
TagCount: tagCount,
212
303
IsStarred: isStarred,
213
304
IsOwner: isOwner,
214
305
ReadmeHTML: readmeHTML,
···
216
307
ArtifactType: artifactType,
217
308
}
218
309
310
+
// If the owner has disabled AI advisor in their profile, hide the button
311
+
if isOwner && data.AIAdvisorEnabled && user != nil {
312
+
client := atproto.NewClientWithSessionProvider(user.PDSEndpoint, user.DID, h.Refresher)
313
+
if profile, err := storage.GetProfile(r.Context(), client); err == nil && profile != nil {
314
+
if profile.AIAdvisorEnabled != nil && !*profile.AIAdvisorEnabled {
315
+
data.AIAdvisorEnabled = false
316
+
}
317
+
}
318
+
}
319
+
320
+
// If this is an HTMX request for the tag section, render just the partial
321
+
if r.Header.Get("HX-Request") == "true" && r.URL.Query().Get("tag") != "" {
322
+
w.Header().Set("Content-Type", "text/html; charset=utf-8")
323
+
if err := h.Templates.ExecuteTemplate(w, "repo-tag-section", data); err != nil {
324
+
http.Error(w, err.Error(), http.StatusInternalServerError)
325
+
}
326
+
return
327
+
}
328
+
219
329
if err := h.Templates.ExecuteTemplate(w, "repository", data); err != nil {
220
330
http.Error(w, err.Error(), http.StatusInternalServerError)
221
331
return
222
332
}
333
+
}
334
+
335
+
// buildScanBatchParams builds HTMX query params for batch scan-result requests
336
+
// from a list of platform infos.
337
+
func buildScanBatchParams(platforms []db.PlatformInfo) []template.HTML {
338
+
holdDigests := make(map[string][]string)
339
+
seen := make(map[string]bool)
340
+
for _, p := range platforms {
341
+
if p.Digest != "" && p.HoldEndpoint != "" && !seen[p.Digest] {
342
+
seen[p.Digest] = true
343
+
hex := strings.TrimPrefix(p.Digest, "sha256:")
344
+
holdDigests[p.HoldEndpoint] = append(holdDigests[p.HoldEndpoint], hex)
345
+
}
346
+
}
347
+
var params []template.HTML
348
+
for hold, digests := range holdDigests {
349
+
for i := 0; i < len(digests); i += 50 {
350
+
end := i + 50
351
+
if end > len(digests) {
352
+
end = len(digests)
353
+
}
354
+
params = append(params, template.HTML(
355
+
"holdEndpoint="+url.QueryEscape(hold)+"&digests="+strings.Join(digests[i:end], ",")))
356
+
}
357
+
}
358
+
return params
223
359
}
224
360
225
361
// RepositoryTagsHandler returns the tags+manifests HTMX partial for a repository
+43
pkg/appview/handlers/settings.go
+43
pkg/appview/handlers/settings.go
···
138
138
DefaultHold string
139
139
AutoRemoveUntagged bool
140
140
OciClient string
141
+
AIAdvisorEnabled bool
142
+
HasAIAdvisorAccess bool // billing tier grants access
141
143
}
142
144
ActiveHold *HoldDisplay
143
145
OtherHolds []HoldDisplay
···
160
162
data.Profile.DefaultHold = profile.DefaultHold
161
163
data.Profile.AutoRemoveUntagged = profile.AutoRemoveUntagged
162
164
data.Profile.OciClient = profile.OciClient
165
+
data.Profile.AIAdvisorEnabled = profile.AIAdvisorEnabled == nil || *profile.AIAdvisorEnabled
166
+
if h.BillingManager != nil {
167
+
data.Profile.HasAIAdvisorAccess = h.BillingManager.HasAIAdvisor(user.DID)
168
+
}
163
169
164
170
if err := h.Templates.ExecuteTemplate(w, "settings", data); err != nil {
165
171
http.Error(w, err.Error(), http.StatusInternalServerError)
···
472
478
// Cache locally
473
479
if h.DB != nil {
474
480
_ = db.UpdateUserOciClient(h.DB, user.DID, ociClient)
481
+
}
482
+
483
+
w.WriteHeader(http.StatusNoContent)
484
+
}
485
+
486
+
// UpdateAIAdvisorHandler handles toggling the AI Image Advisor setting
487
+
type UpdateAIAdvisorHandler struct {
488
+
BaseUIHandler
489
+
}
490
+
491
+
func (h *UpdateAIAdvisorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
492
+
user := middleware.GetUser(r)
493
+
if user == nil {
494
+
http.Error(w, "Unauthorized", http.StatusUnauthorized)
495
+
return
496
+
}
497
+
498
+
client := atproto.NewClientWithSessionProvider(user.PDSEndpoint, user.DID, h.Refresher)
499
+
500
+
profile, err := storage.GetProfile(r.Context(), client)
501
+
if err != nil || profile == nil {
502
+
http.Error(w, "Failed to fetch profile", http.StatusInternalServerError)
503
+
return
504
+
}
505
+
506
+
// Toggle: nil/true → false, false → nil (default enabled)
507
+
if profile.AIAdvisorEnabled == nil || *profile.AIAdvisorEnabled {
508
+
f := false
509
+
profile.AIAdvisorEnabled = &f
510
+
} else {
511
+
profile.AIAdvisorEnabled = nil
512
+
}
513
+
profile.UpdatedAt = time.Now()
514
+
515
+
if err := storage.UpdateProfile(r.Context(), client, profile); err != nil {
516
+
http.Error(w, "Failed to update profile: "+err.Error(), http.StatusInternalServerError)
517
+
return
475
518
}
476
519
477
520
w.WriteHeader(http.StatusNoContent)
+1
-1
pkg/appview/handlers/subscription.go
+1
-1
pkg/appview/handlers/subscription.go
+1
pkg/appview/jetstream/backfill.go
+1
pkg/appview/jetstream/backfill.go
···
83
83
atproto.SailorProfileCollection, // io.atcr.sailor.profile
84
84
atproto.RepoPageCollection, // io.atcr.repo.page
85
85
atproto.StatsCollection, // io.atcr.hold.stats (from holds)
86
+
atproto.DailyStatsCollection, // io.atcr.hold.stats.daily (from holds)
86
87
atproto.CaptainCollection, // io.atcr.hold.captain (from holds)
87
88
atproto.CrewCollection, // io.atcr.hold.crew (from holds)
88
89
atproto.ScanCollection, // io.atcr.hold.scan (from holds)
+42
pkg/appview/jetstream/processor.go
+42
pkg/appview/jetstream/processor.go
···
289
289
case atproto.StatsCollection:
290
290
return p.ProcessStats(ctx, did, data, isDelete)
291
291
292
+
case atproto.DailyStatsCollection:
293
+
return p.ProcessDailyStats(ctx, did, data, isDelete)
294
+
292
295
case atproto.CaptainCollection:
293
296
if isDelete {
294
297
return db.DeleteCaptainRecord(p.db, did)
···
353
356
if !isManifestList && manifestRecord.Config != nil {
354
357
manifest.ConfigDigest = manifestRecord.Config.Digest
355
358
manifest.ConfigSize = manifestRecord.Config.Size
359
+
}
360
+
361
+
// Track subject digest for attestation/referrer manifests
362
+
if manifestRecord.Subject != nil {
363
+
manifest.SubjectDigest = manifestRecord.Subject.Digest
356
364
}
357
365
358
366
// Insert manifest
···
822
830
PushCount: int(totalPush),
823
831
LastPull: latestPull,
824
832
LastPush: latestPush,
833
+
})
834
+
}
835
+
836
+
// ProcessDailyStats handles daily stats record events from hold PDSes
837
+
// This is called when Jetstream receives a daily stats create/update/delete event from a hold
838
+
func (p *Processor) ProcessDailyStats(ctx context.Context, holdDID string, recordData []byte, isDelete bool) error {
839
+
var record atproto.DailyStatsRecord
840
+
if err := json.Unmarshal(recordData, &record); err != nil {
841
+
return fmt.Errorf("failed to unmarshal daily stats record: %w", err)
842
+
}
843
+
844
+
if isDelete {
845
+
// Daily stats deletions are rare — just log and skip
846
+
slog.Debug("Daily stats record deleted",
847
+
"holdDID", holdDID,
848
+
"ownerDID", record.OwnerDID,
849
+
"repository", record.Repository,
850
+
"date", record.Date)
851
+
return nil
852
+
}
853
+
854
+
// Ensure the owner user exists (FK constraint)
855
+
if record.OwnerDID != "" {
856
+
if err := p.EnsureUserExists(ctx, record.OwnerDID); err != nil {
857
+
return fmt.Errorf("failed to ensure daily stats owner user exists: %w", err)
858
+
}
859
+
}
860
+
861
+
return db.UpsertDailyStats(p.db, &db.DailyStats{
862
+
DID: record.OwnerDID,
863
+
Repository: record.Repository,
864
+
Date: record.Date,
865
+
PullCount: int(record.PullCount),
866
+
PushCount: int(record.PushCount),
825
867
})
826
868
}
827
869
+1
pkg/appview/jetstream/processor_test.go
+1
pkg/appview/jetstream/processor_test.go
+7
pkg/appview/public/icons.svg
+7
pkg/appview/public/icons.svg
···
7
7
<symbol id="arrow-left" viewBox="0 0 24 24"><path d="m12 19-7-7 7-7"/><path d="M19 12H5"/></symbol>
8
8
<symbol id="arrow-right" viewBox="0 0 24 24"><path d="M5 12h14"/><path d="m12 5 7 7-7 7"/></symbol>
9
9
<symbol id="bold" viewBox="0 0 24 24"><path d="M6 12h9a4 4 0 0 1 0 8H7a1 1 0 0 1-1-1V5a1 1 0 0 1 1-1h7a4 4 0 0 1 0 8"/></symbol>
10
+
<symbol id="book-open" viewBox="0 0 24 24"><path d="M12 7v14"/><path d="M3 18a1 1 0 0 1-1-1V4a1 1 0 0 1 1-1h5a4 4 0 0 1 4 4 4 4 0 0 1 4-4h5a1 1 0 0 1 1 1v13a1 1 0 0 1-1 1h-6a3 3 0 0 0-3 3 3 3 0 0 0-3-3z"/></symbol>
10
11
<symbol id="check" viewBox="0 0 24 24"><path d="M20 6 9 17l-5-5"/></symbol>
11
12
<symbol id="check-circle" viewBox="0 0 24 24"><path d="M21.801 10A10 10 0 1 1 17 3.335"/><path d="m9 11 3 3L22 4"/></symbol>
12
13
<symbol id="chevron-down" viewBox="0 0 24 24"><path d="m6 9 6 6 6-6"/></symbol>
···
18
19
<symbol id="container" viewBox="0 0 24 24"><path d="M22 7.7c0-.6-.4-1.2-.8-1.5l-6.3-3.9a1.72 1.72 0 0 0-1.7 0l-10.3 6c-.5.2-.9.8-.9 1.4v6.6c0 .5.4 1.2.8 1.5l6.3 3.9a1.72 1.72 0 0 0 1.7 0l10.3-6c.5-.3.9-1 .9-1.5Z"/><path d="M10 21.9V14L2.1 9.1"/><path d="m10 14 11.9-6.9"/><path d="M14 19.8v-8.1"/><path d="M18 17.5V9.4"/></symbol>
19
20
<symbol id="copy" viewBox="0 0 24 24"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"/><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"/></symbol>
20
21
<symbol id="cpu" viewBox="0 0 24 24"><path d="M12 20v2"/><path d="M12 2v2"/><path d="M17 20v2"/><path d="M17 2v2"/><path d="M2 12h2"/><path d="M2 17h2"/><path d="M2 7h2"/><path d="M20 12h2"/><path d="M20 17h2"/><path d="M20 7h2"/><path d="M7 20v2"/><path d="M7 2v2"/><rect x="4" y="4" width="16" height="16" rx="2"/><rect x="8" y="8" width="8" height="8" rx="1"/></symbol>
22
+
<symbol id="credit-card" viewBox="0 0 24 24"><rect width="20" height="14" x="2" y="5" rx="2"/><line x1="2" x2="22" y1="10" y2="10"/></symbol>
21
23
<symbol id="database" viewBox="0 0 24 24"><ellipse cx="12" cy="5" rx="9" ry="3"/><path d="M3 5V19A9 3 0 0 0 21 19V5"/><path d="M3 12A9 3 0 0 0 21 12"/></symbol>
22
24
<symbol id="download" viewBox="0 0 24 24"><path d="M12 15V3"/><path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4"/><path d="m7 10 5 5 5-5"/></symbol>
23
25
<symbol id="external-link" viewBox="0 0 24 24"><path d="M15 3h6v6"/><path d="M10 14 21 3"/><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"/></symbol>
24
26
<symbol id="eye" viewBox="0 0 24 24"><path d="M2.062 12.348a1 1 0 0 1 0-.696 10.75 10.75 0 0 1 19.876 0 1 1 0 0 1 0 .696 10.75 10.75 0 0 1-19.876 0"/><circle cx="12" cy="12" r="3"/></symbol>
25
27
<symbol id="file-plus" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="M9 15h6"/><path d="M12 18v-6"/></symbol>
28
+
<symbol id="file-text" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="M10 9H8"/><path d="M16 13H8"/><path d="M16 17H8"/></symbol>
26
29
<symbol id="file-x" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="m14.5 12.5-5 5"/><path d="m9.5 12.5 5 5"/></symbol>
27
30
<symbol id="fingerprint" viewBox="0 0 24 24"><path d="M12 10a2 2 0 0 0-2 2c0 1.02-.1 2.51-.26 4"/><path d="M14 13.12c0 2.38 0 6.38-1 8.88"/><path d="M17.29 21.02c.12-.6.43-2.3.5-3.02"/><path d="M2 12a10 10 0 0 1 18-6"/><path d="M2 16h.01"/><path d="M21.8 16c.2-2 .131-5.354 0-6"/><path d="M5 19.5C5.5 18 6 15 6 12a6 6 0 0 1 .34-2"/><path d="M8.65 22c.21-.66.45-1.32.57-2"/><path d="M9 6.8a6 6 0 0 1 9 5.2v2"/></symbol>
31
+
<symbol id="git-compare" viewBox="0 0 24 24"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M13 6h3a2 2 0 0 1 2 2v7"/><path d="M11 18H8a2 2 0 0 1-2-2V9"/></symbol>
28
32
<symbol id="git-merge" viewBox="0 0 24 24"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M6 21V9a9 9 0 0 0 9 9"/></symbol>
29
33
<symbol id="github" viewBox="0 0 24 24"><path d="M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4"/><path d="M9 18c-4.51 2-5-2-7-2"/></symbol>
30
34
<symbol id="hard-drive" viewBox="0 0 24 24"><path d="M10 16h.01"/><path d="M2.212 11.577a2 2 0 0 0-.212.896V18a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2v-5.527a2 2 0 0 0-.212-.896L18.55 5.11A2 2 0 0 0 16.76 4H7.24a2 2 0 0 0-1.79 1.11z"/><path d="M21.946 12.013H2.054"/><path d="M6 16h.01"/></symbol>
···
50
54
<symbol id="settings" viewBox="0 0 24 24"><path d="M9.671 4.136a2.34 2.34 0 0 1 4.659 0 2.34 2.34 0 0 0 3.319 1.915 2.34 2.34 0 0 1 2.33 4.033 2.34 2.34 0 0 0 0 3.831 2.34 2.34 0 0 1-2.33 4.033 2.34 2.34 0 0 0-3.319 1.915 2.34 2.34 0 0 1-4.659 0 2.34 2.34 0 0 0-3.32-1.915 2.34 2.34 0 0 1-2.33-4.033 2.34 2.34 0 0 0 0-3.831A2.34 2.34 0 0 1 6.35 6.051a2.34 2.34 0 0 0 3.319-1.915"/><circle cx="12" cy="12" r="3"/></symbol>
51
55
<symbol id="shield-check" viewBox="0 0 24 24"><path d="M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.67-.01C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.51 3.81 17 5 19 5a1 1 0 0 1 1 1z"/><path d="m9 12 2 2 4-4"/></symbol>
52
56
<symbol id="ship" viewBox="0 0 24 24"><path d="M12 10.189V14"/><path d="M12 2v3"/><path d="M19 13V7a2 2 0 0 0-2-2H7a2 2 0 0 0-2 2v6"/><path d="M19.38 20A11.6 11.6 0 0 0 21 14l-8.188-3.639a2 2 0 0 0-1.624 0L3 14a11.6 11.6 0 0 0 2.81 7.76"/><path d="M2 21c.6.5 1.2 1 2.5 1 2.5 0 2.5-2 5-2 1.3 0 1.9.5 2.5 1s1.2 1 2.5 1c2.5 0 2.5-2 5-2 1.3 0 1.9.5 2.5 1"/></symbol>
57
+
<symbol id="sparkle" viewBox="0 0 24 24"><path d="M11.017 2.814a1 1 0 0 1 1.966 0l1.051 5.558a2 2 0 0 0 1.594 1.594l5.558 1.051a1 1 0 0 1 0 1.966l-5.558 1.051a2 2 0 0 0-1.594 1.594l-1.051 5.558a1 1 0 0 1-1.966 0l-1.051-5.558a2 2 0 0 0-1.594-1.594l-5.558-1.051a1 1 0 0 1 0-1.966l5.558-1.051a2 2 0 0 0 1.594-1.594z"/></symbol>
58
+
<symbol id="sparkles" viewBox="0 0 24 24"><path d="M11.017 2.814a1 1 0 0 1 1.966 0l1.051 5.558a2 2 0 0 0 1.594 1.594l5.558 1.051a1 1 0 0 1 0 1.966l-5.558 1.051a2 2 0 0 0-1.594 1.594l-1.051 5.558a1 1 0 0 1-1.966 0l-1.051-5.558a2 2 0 0 0-1.594-1.594l-5.558-1.051a1 1 0 0 1 0-1.966l5.558-1.051a2 2 0 0 0 1.594-1.594z"/><path d="M20 2v4"/><path d="M22 4h-4"/><circle cx="4" cy="20" r="2"/></symbol>
53
59
<symbol id="star" viewBox="0 0 24 24"><path d="M11.525 2.295a.53.53 0 0 1 .95 0l2.31 4.679a2.123 2.123 0 0 0 1.595 1.16l5.166.756a.53.53 0 0 1 .294.904l-3.736 3.638a2.123 2.123 0 0 0-.611 1.878l.882 5.14a.53.53 0 0 1-.771.56l-4.618-2.428a2.122 2.122 0 0 0-1.973 0L6.396 21.01a.53.53 0 0 1-.77-.56l.881-5.139a2.122 2.122 0 0 0-.611-1.879L2.16 9.795a.53.53 0 0 1 .294-.906l5.165-.755a2.122 2.122 0 0 0 1.597-1.16z"/></symbol>
54
60
<symbol id="sun" viewBox="0 0 24 24"><circle cx="12" cy="12" r="4"/><path d="M12 2v2"/><path d="M12 20v2"/><path d="m4.93 4.93 1.41 1.41"/><path d="m17.66 17.66 1.41 1.41"/><path d="M2 12h2"/><path d="M20 12h2"/><path d="m6.34 17.66-1.41 1.41"/><path d="m19.07 4.93-1.41 1.41"/></symbol>
55
61
<symbol id="sun-moon" viewBox="0 0 24 24"><path d="M12 2v2"/><path d="M14.837 16.385a6 6 0 1 1-7.223-7.222c.624-.147.97.66.715 1.248a4 4 0 0 0 5.26 5.259c.589-.255 1.396.09 1.248.715"/><path d="M16 12a4 4 0 0 0-4-4"/><path d="m19 5-1.256 1.256"/><path d="M20 12h2"/></symbol>
62
+
<symbol id="tag" viewBox="0 0 24 24"><path d="M12.586 2.586A2 2 0 0 0 11.172 2H4a2 2 0 0 0-2 2v7.172a2 2 0 0 0 .586 1.414l8.704 8.704a2.426 2.426 0 0 0 3.42 0l6.58-6.58a2.426 2.426 0 0 0 0-3.42z"/><circle cx="7.5" cy="7.5" r=".5" fill="currentColor"/></symbol>
56
63
<symbol id="terminal" viewBox="0 0 24 24"><path d="M12 19h8"/><path d="m4 17 6-6-6-6"/></symbol>
57
64
<symbol id="trash-2" viewBox="0 0 24 24"><path d="M10 11v6"/><path d="M14 11v6"/><path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6"/><path d="M3 6h18"/><path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"/></symbol>
58
65
<symbol id="triangle-alert" viewBox="0 0 24 24"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"/><path d="M12 9v4"/><path d="M12 17h.01"/></symbol>
+6
pkg/appview/routes/routes.go
+6
pkg/appview/routes/routes.go
···
44
44
ClientShortName string // Short name: "ATCR"
45
45
BillingManager *billing.Manager // Stripe billing manager (nil if not configured)
46
46
WebhookDispatcher *webhooks.Dispatcher // Webhook dispatcher (nil if not configured)
47
+
ClaudeAPIKey string // Anthropic API key for AI advisor (empty = disabled)
47
48
}
48
49
49
50
// RegisterUIRoutes registers all web UI and API routes on the provided router
···
78
79
Jurisdiction: deps.LegalConfig.Jurisdiction,
79
80
ClientName: deps.ClientName,
80
81
ClientShortName: deps.ClientShortName,
82
+
AIAdvisorEnabled: deps.ClaudeAPIKey != "",
81
83
}
82
84
83
85
// OAuth login routes (public)
···
158
160
159
161
router.Get("/api/digest-content/{handle}/*", (&uihandlers.DigestContentHandler{BaseUIHandler: base}).ServeHTTP)
160
162
router.Get("/api/upgrade-banner/{handle}/*", (&uihandlers.UpgradeBannerHandler{BaseUIHandler: base}).ServeHTTP)
163
+
router.Get("/api/image-advisor/{handle}/*", middleware.RequireAuth(deps.SessionStore, deps.Database)(
164
+
&uihandlers.ImageAdvisorHandler{BaseUIHandler: base, ClaudeAPIKey: deps.ClaudeAPIKey},
165
+
).ServeHTTP)
161
166
162
167
// Diff page: /diff/{handle}/{repo}?from=...&to=...
163
168
router.Get("/diff/{handle}/*", middleware.OptionalAuth(deps.SessionStore, deps.Database)(
···
177
182
r.Post("/api/profile/default-hold", (&uihandlers.UpdateDefaultHoldHandler{BaseUIHandler: base}).ServeHTTP)
178
183
r.Post("/api/profile/auto-remove-untagged", (&uihandlers.UpdateAutoRemoveUntaggedHandler{BaseUIHandler: base}).ServeHTTP)
179
184
r.Post("/api/profile/oci-client", (&uihandlers.UpdateOciClientHandler{BaseUIHandler: base}).ServeHTTP)
185
+
r.Post("/api/profile/ai-advisor", (&uihandlers.UpdateAIAdvisorHandler{BaseUIHandler: base}).ServeHTTP)
180
186
181
187
// Subscription management
182
188
r.Get("/settings/subscription/checkout", (&uihandlers.SubscriptionCheckoutHandler{BaseUIHandler: base}).ServeHTTP)
+4
pkg/appview/server.go
+4
pkg/appview/server.go
···
144
144
})
145
145
146
146
slog.Info("Configuration loaded successfully from environment")
147
+
if cfg.AI.APIKey != "" {
148
+
slog.Info("AI Image Advisor enabled")
149
+
}
147
150
148
151
s := &AppViewServer{
149
152
Config: cfg,
···
330
333
ClientShortName: cfg.Server.ClientShortName,
331
334
BillingManager: s.BillingManager,
332
335
WebhookDispatcher: s.WebhookDispatcher,
336
+
ClaudeAPIKey: cfg.AI.APIKey,
333
337
LegalConfig: routes.LegalConfig{
334
338
CompanyName: cfg.Legal.CompanyName,
335
339
Jurisdiction: cfg.Legal.Jurisdiction,
+80
pkg/appview/templates/components/pull-command-switcher.html
+80
pkg/appview/templates/components/pull-command-switcher.html
···
1
+
{{ define "pull-command-switcher" }}
2
+
{{/*
3
+
Pull command with inline OCI client switcher.
4
+
Expects dict with: RegistryURL, OwnerHandle, RepoName, Tag, ArtifactType, OciClient, IsLoggedIn
5
+
6
+
For helm charts, shows helm command only (no switcher).
7
+
For container images, shows a client dropdown that updates the command.
8
+
Logged-in users: saves to profile via HTMX POST.
9
+
Anonymous users: saves to localStorage.
10
+
*/}}
11
+
{{ if eq .ArtifactType "helm-chart" }}
12
+
<div class="space-y-2">
13
+
<p class="text-sm font-medium text-base-content/70">Pull this chart</p>
14
+
{{ if .Tag }}
15
+
{{ template "docker-command" (print "helm pull oci://" .RegistryURL "/" .OwnerHandle "/" .RepoName " --version " .Tag) }}
16
+
{{ else }}
17
+
{{ template "docker-command" (print "helm pull oci://" .RegistryURL "/" .OwnerHandle "/" .RepoName) }}
18
+
{{ end }}
19
+
</div>
20
+
{{ else }}
21
+
<div class="space-y-2" id="pull-cmd-container">
22
+
<p class="text-sm font-medium text-base-content/70">Pull this image</p>
23
+
<div class="flex items-center gap-2">
24
+
<select id="oci-client-switcher" class="select select-xs select-bordered w-auto"
25
+
onchange="updatePullCommand(this.value)">
26
+
<option value="docker"{{ if or (eq .OciClient "") (eq .OciClient "docker") }} selected{{ end }}>docker</option>
27
+
<option value="podman"{{ if eq .OciClient "podman" }} selected{{ end }}>podman</option>
28
+
<option value="nerdctl"{{ if eq .OciClient "nerdctl" }} selected{{ end }}>nerdctl</option>
29
+
<option value="buildah"{{ if eq .OciClient "buildah" }} selected{{ end }}>buildah</option>
30
+
<option value="crane"{{ if eq .OciClient "crane" }} selected{{ end }}>crane</option>
31
+
</select>
32
+
<div id="pull-cmd-display" class="flex-1 min-w-0">
33
+
{{ if .Tag }}
34
+
{{ template "docker-command" (print (ociClientName .OciClient) " pull " .RegistryURL "/" .OwnerHandle "/" .RepoName ":" .Tag) }}
35
+
{{ else }}
36
+
{{ template "docker-command" (print (ociClientName .OciClient) " pull " .RegistryURL "/" .OwnerHandle "/" .RepoName ":latest") }}
37
+
{{ end }}
38
+
</div>
39
+
</div>
40
+
</div>
41
+
<script>
42
+
(function() {
43
+
var registryURL = {{ .RegistryURL }};
44
+
var ownerHandle = {{ .OwnerHandle }};
45
+
var repoName = {{ .RepoName }};
46
+
var tag = {{ if .Tag }}{{ .Tag }}{{ else }}"latest"{{ end }};
47
+
var isLoggedIn = {{ .IsLoggedIn }};
48
+
49
+
// Restore from localStorage for anonymous users
50
+
if (!isLoggedIn) {
51
+
var saved = localStorage.getItem('oci-client');
52
+
if (saved) {
53
+
var sel = document.getElementById('oci-client-switcher');
54
+
if (sel) {
55
+
sel.value = saved;
56
+
updatePullCommand(saved);
57
+
}
58
+
}
59
+
}
60
+
61
+
window.updatePullCommand = function(client) {
62
+
var cmd = client + ' pull ' + registryURL + '/' + ownerHandle + '/' + repoName + ':' + tag;
63
+
var container = document.getElementById('pull-cmd-display');
64
+
if (!container) return;
65
+
var code = container.querySelector('code');
66
+
if (code) code.textContent = cmd;
67
+
var btn = container.querySelector('[data-cmd]');
68
+
if (btn) btn.dataset.cmd = cmd;
69
+
70
+
// Persist preference
71
+
if (isLoggedIn) {
72
+
htmx.ajax('POST', '/api/profile/oci-client', {values: {oci_client: client}, swap: 'none'});
73
+
} else {
74
+
localStorage.setItem('oci-client', client);
75
+
}
76
+
};
77
+
})();
78
+
</script>
79
+
{{ end }}
80
+
{{ end }}
+2
pkg/appview/templates/pages/digest.html
+2
pkg/appview/templates/pages/digest.html
+383
-330
pkg/appview/templates/pages/repository.html
+383
-330
pkg/appview/templates/pages/repository.html
···
9
9
{{ template "nav" . }}
10
10
11
11
<main class="container mx-auto px-4 py-8">
12
-
<div class="space-y-8">
13
-
<!-- Repository Header -->
14
-
<div class="card bg-base-100 shadow-sm p-6 space-y-6 w-full">
12
+
<div class="space-y-6">
13
+
<!-- Static Header: Identity + Metadata (does not change with tag) -->
14
+
<div class="card bg-base-100 shadow-sm p-6 space-y-4 w-full">
15
15
<div class="flex gap-4 items-start">
16
16
{{ template "repo-avatar" (dict "IconURL" .Repository.IconURL "RepositoryName" .Repository.Name "IsOwner" .IsOwner) }}
17
17
<div class="flex-1 min-w-0">
···
26
26
</div>
27
27
</div>
28
28
29
-
<!-- Star Button, Pull Count and Metadata Row -->
30
-
<div class="flex flex-wrap items-center justify-between gap-4">
31
-
<div class="flex items-center gap-4">
32
-
{{ template "star" (dict "IsStarred" .IsStarred "StarCount" .StarCount "Interactive" true "Handle" .Owner.Handle "Repository" .Repository.Name) }}
33
-
{{ template "pull-count" (dict "PullCount" .PullCount) }}
29
+
<!-- Metadata Row -->
30
+
<div class="flex flex-wrap items-center gap-3">
31
+
<div class="flex items-center gap-3">
32
+
{{ template "star" (dict "IsStarred" .IsStarred "StarCount" .Stats.StarCount "Interactive" true "Handle" .Owner.Handle "Repository" .Repository.Name) }}
33
+
{{ template "pull-count" (dict "PullCount" .Stats.PullCount) }}
34
+
{{ if .TagCount }}
35
+
<span class="flex items-center gap-1 text-sm text-base-content/70" title="{{ .TagCount }} tags">
36
+
{{ icon "tag" "size-4" }} {{ .TagCount }}
37
+
</span>
38
+
{{ end }}
39
+
{{ if .Stats.LastPush }}
40
+
<span class="text-sm text-base-content/50" title="Last pushed {{ (derefTime .Stats.LastPush).Format "2006-01-02T15:04:05Z07:00" }}">
41
+
Updated {{ timeAgoShort (derefTime .Stats.LastPush) }}
42
+
</span>
43
+
{{ end }}
34
44
</div>
35
45
36
-
<!-- Metadata Section -->
37
46
{{ if or .Repository.Licenses .Repository.SourceURL .Repository.DocumentationURL .Repository.Version }}
38
-
<div class="flex flex-wrap items-center gap-2">
47
+
<div class="flex flex-wrap items-center gap-2 ml-auto">
39
48
{{ if .Repository.Version }}
40
49
<span class="badge badge-md badge-primary badge-outline" title="Version">
41
50
{{ .Repository.Version }}
···
55
64
{{ end }}
56
65
{{ end }}
57
66
{{ if .Repository.SourceURL }}
58
-
<a href="{{ .Repository.SourceURL }}" target="_blank" rel="noopener noreferrer" class="link link-primary text-sm" aria-label="View source code (opens in new tab)">
59
-
Source
67
+
<a href="{{ .Repository.SourceURL }}" target="_blank" rel="noopener noreferrer" class="link link-primary text-sm flex items-center gap-1" aria-label="View source code (opens in new tab)">
68
+
{{ icon "external-link" "size-3" }} Source
60
69
</a>
61
70
{{ end }}
62
71
{{ if .Repository.DocumentationURL }}
63
-
<a href="{{ .Repository.DocumentationURL }}" target="_blank" rel="noopener noreferrer" class="link link-primary text-sm" aria-label="View documentation (opens in new tab)">
64
-
Documentation
72
+
<a href="{{ .Repository.DocumentationURL }}" target="_blank" rel="noopener noreferrer" class="link link-primary text-sm flex items-center gap-1" aria-label="View documentation (opens in new tab)">
73
+
{{ icon "book-open" "size-3" }} Docs
65
74
</a>
66
75
{{ end }}
67
76
</div>
68
77
{{ end }}
69
78
</div>
70
-
71
-
<div class="divider my-2"></div>
79
+
</div>
72
80
73
-
<!-- Pull Command -->
74
-
<div class="space-y-2">
75
-
{{ if eq .ArtifactType "helm-chart" }}
76
-
<p class="font-semibold">Pull this chart</p>
77
-
{{ if .LatestTag }}
78
-
{{ template "docker-command" (print "helm pull oci://" $.RegistryURL "/" $.Owner.Handle "/" $.Repository.Name " --version " .LatestTag) }}
79
-
{{ else }}
80
-
{{ template "docker-command" (print "helm pull oci://" $.RegistryURL "/" $.Owner.Handle "/" $.Repository.Name) }}
81
+
<!-- Tag Selector (stays in DOM, never swapped) -->
82
+
{{ if .SelectedTag }}
83
+
<div class="flex flex-wrap items-center gap-3">
84
+
<div class="flex items-center gap-2">
85
+
{{ icon "tag" "size-4 text-base-content/60" }}
86
+
<select id="tag-selector" class="select select-sm select-bordered font-mono"
87
+
hx-get="/r/{{ .Owner.Handle }}/{{ .Repository.Name }}"
88
+
hx-target="#tag-content"
89
+
hx-swap="outerHTML"
90
+
hx-push-url="true"
91
+
hx-include="this"
92
+
name="tag">
93
+
{{ range .AllTags }}
94
+
<option value="{{ . }}"{{ if eq . $.SelectedTag.Info.Tag.Tag }} selected{{ end }}>{{ . }}</option>
95
+
{{ end }}
96
+
</select>
97
+
</div>
98
+
{{ if .SelectedTag.Info.IsMultiArch }}
99
+
<div id="platform-badges" class="flex flex-wrap items-center gap-1">
100
+
{{ range .SelectedTag.Info.Platforms }}
101
+
<span class="badge badge-sm badge-outline font-mono">{{ .OS }}/{{ .Architecture }}{{ if .Variant }}/{{ .Variant }}{{ end }}</span>
102
+
{{ end }}
103
+
</div>
104
+
{{ else }}
105
+
{{ $p := index .SelectedTag.Info.Platforms 0 }}
106
+
{{ if $p.OS }}
107
+
<div id="platform-badges">
108
+
<span class="badge badge-sm badge-outline font-mono">{{ $p.OS }}/{{ $p.Architecture }}{{ if $p.Variant }}/{{ $p.Variant }}{{ end }}</span>
109
+
</div>
81
110
{{ end }}
82
-
{{ else }}
83
-
<p class="font-semibold">Pull this image</p>
84
-
{{ if .LatestTag }}
85
-
{{ template "docker-command" (print (ociClientName .OciClient) " pull " $.RegistryURL "/" $.Owner.Handle "/" $.Repository.Name ":" .LatestTag) }}
86
-
{{ else }}
87
-
{{ template "docker-command" (print (ociClientName .OciClient) " pull " $.RegistryURL "/" $.Owner.Handle "/" $.Repository.Name ":latest") }}
88
-
{{ end }}
89
-
{{ end }}
90
-
</div>
111
+
{{ end }}
112
+
{{ if .SelectedTag.Info.HasAttestations }}
113
+
<button class="badge badge-sm badge-soft badge-success cursor-pointer hover:opacity-80"
114
+
hx-get="/api/attestation-details?digest={{ .SelectedTag.Info.Digest | urlquery }}&did={{ .Owner.DID | urlquery }}&repo={{ .Repository.Name | urlquery }}"
115
+
hx-target="#attestation-modal-body"
116
+
hx-swap="innerHTML"
117
+
onclick="document.getElementById('attestation-detail-modal').showModal()">
118
+
{{ icon "shield-check" "size-3" }} Attested
119
+
</button>
120
+
{{ end }}
91
121
</div>
122
+
{{ end }}
92
123
93
-
<!-- Tab Navigation -->
94
-
<div class="border-b border-base-300">
95
-
<nav class="flex gap-0" role="tablist">
96
-
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 transition-colors cursor-pointer"
97
-
data-tab="overview"
98
-
role="tab"
99
-
onclick="switchRepoTab('overview')">
100
-
Overview
101
-
</button>
102
-
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 transition-colors cursor-pointer"
103
-
data-tab="artifacts"
104
-
role="tab"
105
-
id="artifacts-tab-btn"
106
-
onclick="switchRepoTab('artifacts')">
107
-
Artifacts
108
-
</button>
109
-
</nav>
110
-
</div>
124
+
<!-- Tag-Scoped Content (swapped via HTMX on tag change) -->
125
+
{{ template "repo-tag-section" . }}
111
126
112
-
<!-- Tab Panels -->
113
-
<!-- Overview Panel -->
114
-
<div id="tab-overview" class="repo-panel">
115
-
<!-- View mode -->
116
-
<div id="overview-view" class="card bg-base-100 shadow-sm p-6 space-y-4 min-w-0">
117
-
{{ if .IsOwner }}
118
-
<div class="flex justify-end">
119
-
<button class="btn btn-sm btn-ghost gap-1" onclick="toggleOverviewEditor(true)">
120
-
{{ icon "pencil" "size-4" }}
121
-
Edit
127
+
<!-- Inline Editor (hidden, owner only) — outside HTMX-swapped section so edits survive tag changes -->
128
+
{{ if .IsOwner }}
129
+
<div id="overview-edit" class="card bg-base-100 shadow-sm p-6 hidden">
130
+
<!-- Write/Preview tabs -->
131
+
<div class="border-b border-base-300 mb-4">
132
+
<nav class="flex gap-0" role="tablist">
133
+
<button class="editor-tab px-4 py-2 text-sm font-medium border-b-2 border-primary text-primary"
134
+
data-tab="write" onclick="switchEditorTab('write')">
135
+
Write
136
+
</button>
137
+
<button class="editor-tab px-4 py-2 text-sm font-medium border-b-2 border-transparent text-base-content/60"
138
+
data-tab="preview" onclick="switchEditorTab('preview')">
139
+
Preview
122
140
</button>
123
-
</div>
124
-
{{ end }}
125
-
<div id="overview-rendered" class="prose prose-sm max-w-none">
126
-
{{ if .ReadmeHTML }}
127
-
{{ .ReadmeHTML }}
128
-
{{ else }}
129
-
<p class="text-base-content/60">No description available</p>
130
-
{{ end }}
131
-
</div>
141
+
</nav>
132
142
</div>
133
143
134
-
<!-- Edit mode (hidden, owner only) -->
135
-
{{ if .IsOwner }}
136
-
<div id="overview-edit" class="card bg-base-100 shadow-sm p-6 hidden">
137
-
<!-- Write/Preview tabs -->
138
-
<div class="border-b border-base-300 mb-4">
139
-
<nav class="flex gap-0" role="tablist">
140
-
<button class="editor-tab px-4 py-2 text-sm font-medium border-b-2 border-primary text-primary"
141
-
data-tab="write" onclick="switchEditorTab('write')">
142
-
Write
143
-
</button>
144
-
<button class="editor-tab px-4 py-2 text-sm font-medium border-b-2 border-transparent text-base-content/60"
145
-
data-tab="preview" onclick="switchEditorTab('preview')">
146
-
Preview
147
-
</button>
148
-
</nav>
144
+
<!-- Write panel -->
145
+
<div id="editor-write" class="editor-panel">
146
+
<!-- Toolbar -->
147
+
<div class="flex flex-wrap gap-1 mb-2 p-1 bg-base-200 rounded-lg">
148
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('heading')" title="Heading">
149
+
{{ icon "heading" "size-4" }}
150
+
</button>
151
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('bold')" title="Bold">
152
+
{{ icon "bold" "size-4" }}
153
+
</button>
154
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('italic')" title="Italic">
155
+
{{ icon "italic" "size-4" }}
156
+
</button>
157
+
<div class="divider divider-horizontal mx-0"></div>
158
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('link')" title="Link">
159
+
{{ icon "link" "size-4" }}
160
+
</button>
161
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('image')" title="Image">
162
+
{{ icon "image" "size-4" }}
163
+
</button>
164
+
<div class="divider divider-horizontal mx-0"></div>
165
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('ul')" title="Bulleted list">
166
+
{{ icon "list" "size-4" }}
167
+
</button>
168
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('ol')" title="Numbered list">
169
+
{{ icon "list-ordered" "size-4" }}
170
+
</button>
171
+
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('code')" title="Code">
172
+
{{ icon "code" "size-4" }}
173
+
</button>
149
174
</div>
175
+
<textarea id="md-editor"
176
+
class="textarea textarea-bordered w-full font-mono text-sm leading-relaxed"
177
+
rows="20"
178
+
placeholder="Write your repository description in Markdown...">{{ .RawDescription }}</textarea>
179
+
</div>
150
180
151
-
<!-- Write panel -->
152
-
<div id="editor-write" class="editor-panel">
153
-
<!-- Toolbar -->
154
-
<div class="flex flex-wrap gap-1 mb-2 p-1 bg-base-200 rounded-lg">
155
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('heading')" title="Heading">
156
-
{{ icon "heading" "size-4" }}
157
-
</button>
158
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('bold')" title="Bold">
159
-
{{ icon "bold" "size-4" }}
160
-
</button>
161
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('italic')" title="Italic">
162
-
{{ icon "italic" "size-4" }}
163
-
</button>
164
-
<div class="divider divider-horizontal mx-0"></div>
165
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('link')" title="Link">
166
-
{{ icon "link" "size-4" }}
167
-
</button>
168
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('image')" title="Image">
169
-
{{ icon "image" "size-4" }}
170
-
</button>
171
-
<div class="divider divider-horizontal mx-0"></div>
172
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('ul')" title="Bulleted list">
173
-
{{ icon "list" "size-4" }}
174
-
</button>
175
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('ol')" title="Numbered list">
176
-
{{ icon "list-ordered" "size-4" }}
177
-
</button>
178
-
<button type="button" class="btn btn-ghost btn-xs" onclick="insertMd('code')" title="Code">
179
-
{{ icon "code" "size-4" }}
180
-
</button>
181
-
</div>
182
-
<textarea id="md-editor"
183
-
class="textarea textarea-bordered w-full font-mono text-sm leading-relaxed"
184
-
rows="20"
185
-
placeholder="Write your repository description in Markdown...">{{ .RawDescription }}</textarea>
186
-
</div>
187
-
188
-
<!-- Preview panel -->
189
-
<div id="editor-preview" class="editor-panel hidden">
190
-
<div id="preview-content" class="prose prose-sm max-w-none min-h-[20rem] p-4 border border-base-300 rounded-lg">
191
-
<p class="text-base-content/60">Nothing to preview</p>
192
-
</div>
193
-
</div>
194
-
195
-
<!-- Actions -->
196
-
<div class="flex justify-end gap-2 mt-4">
197
-
<button class="btn btn-sm btn-ghost" onclick="toggleOverviewEditor(false)">Cancel</button>
198
-
<button class="btn btn-sm btn-primary" id="save-overview-btn" onclick="saveOverview()">Save</button>
181
+
<!-- Preview panel -->
182
+
<div id="editor-preview" class="editor-panel hidden">
183
+
<div id="preview-content" class="prose prose-sm max-w-none min-h-[20rem] p-4 border border-base-300 rounded-lg">
184
+
<p class="text-base-content/60">Nothing to preview</p>
199
185
</div>
200
186
</div>
201
187
202
-
<script>
203
-
(function() {
204
-
var textarea = document.getElementById('md-editor');
205
-
if (!textarea) return;
206
-
207
-
var ownerDID = {{ .Owner.DID }};
208
-
var repoName = {{ .Repository.Name }};
209
-
210
-
window.toggleOverviewEditor = function(show) {
211
-
document.getElementById('overview-view').classList.toggle('hidden', show);
212
-
document.getElementById('overview-edit').classList.toggle('hidden', !show);
213
-
if (show) textarea.focus();
214
-
};
215
-
216
-
window.switchEditorTab = function(tab) {
217
-
document.querySelectorAll('.editor-panel').forEach(function(p) { p.classList.add('hidden'); });
218
-
document.getElementById(tab === 'write' ? 'editor-write' : 'editor-preview').classList.remove('hidden');
219
-
220
-
document.querySelectorAll('.editor-tab').forEach(function(t) {
221
-
var active = t.dataset.tab === tab;
222
-
t.classList.toggle('border-primary', active);
223
-
t.classList.toggle('text-primary', active);
224
-
t.classList.toggle('border-transparent', !active);
225
-
t.classList.toggle('text-base-content/60', !active);
226
-
});
227
-
228
-
if (tab === 'preview') {
229
-
var content = textarea.value;
230
-
var previewEl = document.getElementById('preview-content');
231
-
if (!content.trim()) {
232
-
previewEl.innerHTML = '<p class="text-base-content/60">Nothing to preview</p>';
233
-
return;
234
-
}
235
-
var form = new FormData();
236
-
form.append('markdown', content);
237
-
fetch('/api/repo-page/preview', { method: 'POST', body: form })
238
-
.then(function(r) { return r.text(); })
239
-
.then(function(html) { previewEl.innerHTML = html; });
240
-
}
241
-
};
242
-
243
-
window.insertMd = function(type) {
244
-
var start = textarea.selectionStart;
245
-
var end = textarea.selectionEnd;
246
-
var selected = textarea.value.substring(start, end);
247
-
var before = textarea.value.substring(0, start);
248
-
var after = textarea.value.substring(end);
249
-
var insert, cursorStart, cursorEnd;
250
-
251
-
switch (type) {
252
-
case 'heading':
253
-
insert = '## ' + (selected || 'Heading');
254
-
cursorStart = start + 3;
255
-
cursorEnd = start + insert.length;
256
-
break;
257
-
case 'bold':
258
-
insert = '**' + (selected || 'bold text') + '**';
259
-
cursorStart = start + 2;
260
-
cursorEnd = start + insert.length - 2;
261
-
break;
262
-
case 'italic':
263
-
insert = '_' + (selected || 'italic text') + '_';
264
-
cursorStart = start + 1;
265
-
cursorEnd = start + insert.length - 1;
266
-
break;
267
-
case 'link':
268
-
insert = '[' + (selected || 'link text') + '](url)';
269
-
cursorStart = start + insert.length - 4;
270
-
cursorEnd = start + insert.length - 1;
271
-
break;
272
-
case 'image':
273
-
insert = '';
274
-
cursorStart = start + insert.length - 4;
275
-
cursorEnd = start + insert.length - 1;
276
-
break;
277
-
case 'ul':
278
-
insert = '- ' + (selected || 'list item');
279
-
cursorStart = start + 2;
280
-
cursorEnd = start + insert.length;
281
-
break;
282
-
case 'ol':
283
-
insert = '1. ' + (selected || 'list item');
284
-
cursorStart = start + 3;
285
-
cursorEnd = start + insert.length;
286
-
break;
287
-
case 'code':
288
-
if (selected && selected.indexOf('\n') !== -1) {
289
-
insert = '```\n' + selected + '\n```';
290
-
cursorStart = start + 4;
291
-
cursorEnd = start + 4 + selected.length;
292
-
} else {
293
-
insert = '`' + (selected || 'code') + '`';
294
-
cursorStart = start + 1;
295
-
cursorEnd = start + insert.length - 1;
296
-
}
297
-
break;
298
-
default:
299
-
return;
300
-
}
301
-
302
-
textarea.value = before + insert + after;
303
-
textarea.focus();
304
-
textarea.selectionStart = cursorStart;
305
-
textarea.selectionEnd = cursorEnd;
306
-
};
307
-
308
-
window.saveOverview = function() {
309
-
var btn = document.getElementById('save-overview-btn');
310
-
btn.classList.add('btn-disabled');
311
-
btn.innerHTML = '<span class="loading loading-spinner loading-xs"></span> Saving...';
312
-
313
-
var form = new FormData();
314
-
form.append('did', ownerDID);
315
-
form.append('repository', repoName);
316
-
form.append('description', textarea.value);
317
-
318
-
fetch('/api/repo-page', {
319
-
method: 'POST',
320
-
body: form,
321
-
headers: { 'HX-Request': 'true' }
322
-
})
323
-
.then(function(r) {
324
-
if (!r.ok) return r.text().then(function(t) { throw new Error(t); });
325
-
return r.text();
326
-
})
327
-
.then(function(html) {
328
-
document.getElementById('overview-rendered').innerHTML = html;
329
-
toggleOverviewEditor(false);
330
-
if (typeof showToast === 'function') showToast('Overview saved', 'success');
331
-
})
332
-
.catch(function(err) {
333
-
if (typeof showToast === 'function') showToast(err.message || 'Failed to save', 'error');
334
-
})
335
-
.finally(function() {
336
-
btn.classList.remove('btn-disabled');
337
-
btn.innerHTML = 'Save';
338
-
});
339
-
};
340
-
341
-
// Ctrl+S / Cmd+S to save
342
-
textarea.addEventListener('keydown', function(e) {
343
-
if ((e.ctrlKey || e.metaKey) && e.key === 's') {
344
-
e.preventDefault();
345
-
saveOverview();
346
-
}
347
-
});
348
-
})();
349
-
</script>
350
-
{{ end }}
351
-
</div>
352
-
353
-
<!-- Tags Panel -->
354
-
<div id="tab-artifacts" class="repo-panel hidden">
355
-
<div id="tags-content">
356
-
<div class="flex justify-center py-12">
357
-
<span class="loading loading-spinner loading-lg"></span>
358
-
</div>
188
+
<!-- Actions -->
189
+
<div class="flex justify-end gap-2 mt-4">
190
+
<button class="btn btn-sm btn-ghost" onclick="toggleOverviewEditor(false)">Cancel</button>
191
+
<button class="btn btn-sm btn-primary" id="save-overview-btn" onclick="saveOverview()">Save</button>
359
192
</div>
360
193
</div>
194
+
{{ end }}
361
195
</div>
362
196
</main>
363
197
···
412
246
<form method="dialog" class="modal-backdrop"><button>close</button></form>
413
247
</dialog>
414
248
249
+
{{ if .IsOwner }}
415
250
<script>
416
251
(function() {
417
-
var validTabs = ['overview', 'artifacts'];
418
-
var tagsLoading = false;
252
+
var textarea = document.getElementById('md-editor');
253
+
if (!textarea) return;
419
254
420
-
function loadTags() {
421
-
if (tagsLoading) return;
422
-
tagsLoading = true;
423
-
var target = document.getElementById('tags-content');
424
-
fetch('/api/repo-tags/{{ .Owner.Handle }}/{{ .Repository.Name }}')
255
+
var ownerDID = {{ .Owner.DID }};
256
+
var repoName = {{ .Repository.Name }};
257
+
258
+
window.toggleOverviewEditor = function(show) {
259
+
document.getElementById('overview-view').classList.toggle('hidden', show);
260
+
document.getElementById('overview-edit').classList.toggle('hidden', !show);
261
+
if (show) textarea.focus();
262
+
};
263
+
264
+
window.switchEditorTab = function(tab) {
265
+
document.querySelectorAll('.editor-panel').forEach(function(p) { p.classList.add('hidden'); });
266
+
document.getElementById(tab === 'write' ? 'editor-write' : 'editor-preview').classList.remove('hidden');
267
+
268
+
document.querySelectorAll('.editor-tab').forEach(function(t) {
269
+
var active = t.dataset.tab === tab;
270
+
t.classList.toggle('border-primary', active);
271
+
t.classList.toggle('text-primary', active);
272
+
t.classList.toggle('border-transparent', !active);
273
+
t.classList.toggle('text-base-content/60', !active);
274
+
});
275
+
276
+
if (tab === 'preview') {
277
+
var content = textarea.value;
278
+
var previewEl = document.getElementById('preview-content');
279
+
if (!content.trim()) {
280
+
previewEl.innerHTML = '<p class="text-base-content/60">Nothing to preview</p>';
281
+
return;
282
+
}
283
+
var form = new FormData();
284
+
form.append('markdown', content);
285
+
fetch('/api/repo-page/preview', { method: 'POST', body: form })
286
+
.then(function(r) { return r.text(); })
287
+
.then(function(html) { previewEl.innerHTML = html; });
288
+
}
289
+
};
290
+
291
+
window.insertMd = function(type) {
292
+
var start = textarea.selectionStart;
293
+
var end = textarea.selectionEnd;
294
+
var selected = textarea.value.substring(start, end);
295
+
var before = textarea.value.substring(0, start);
296
+
var after = textarea.value.substring(end);
297
+
var insert, cursorStart, cursorEnd;
298
+
299
+
switch (type) {
300
+
case 'heading':
301
+
insert = '## ' + (selected || 'Heading');
302
+
cursorStart = start + 3;
303
+
cursorEnd = start + insert.length;
304
+
break;
305
+
case 'bold':
306
+
insert = '**' + (selected || 'bold text') + '**';
307
+
cursorStart = start + 2;
308
+
cursorEnd = start + insert.length - 2;
309
+
break;
310
+
case 'italic':
311
+
insert = '_' + (selected || 'italic text') + '_';
312
+
cursorStart = start + 1;
313
+
cursorEnd = start + insert.length - 1;
314
+
break;
315
+
case 'link':
316
+
insert = '[' + (selected || 'link text') + '](url)';
317
+
cursorStart = start + insert.length - 4;
318
+
cursorEnd = start + insert.length - 1;
319
+
break;
320
+
case 'image':
321
+
insert = '';
322
+
cursorStart = start + insert.length - 4;
323
+
cursorEnd = start + insert.length - 1;
324
+
break;
325
+
case 'ul':
326
+
insert = '- ' + (selected || 'list item');
327
+
cursorStart = start + 2;
328
+
cursorEnd = start + insert.length;
329
+
break;
330
+
case 'ol':
331
+
insert = '1. ' + (selected || 'list item');
332
+
cursorStart = start + 3;
333
+
cursorEnd = start + insert.length;
334
+
break;
335
+
case 'code':
336
+
if (selected && selected.indexOf('\n') !== -1) {
337
+
insert = '```\n' + selected + '\n```';
338
+
cursorStart = start + 4;
339
+
cursorEnd = start + 4 + selected.length;
340
+
} else {
341
+
insert = '`' + (selected || 'code') + '`';
342
+
cursorStart = start + 1;
343
+
cursorEnd = start + insert.length - 1;
344
+
}
345
+
break;
346
+
default:
347
+
return;
348
+
}
349
+
350
+
textarea.value = before + insert + after;
351
+
textarea.focus();
352
+
textarea.selectionStart = cursorStart;
353
+
textarea.selectionEnd = cursorEnd;
354
+
};
355
+
356
+
window.saveOverview = function() {
357
+
var btn = document.getElementById('save-overview-btn');
358
+
btn.classList.add('btn-disabled');
359
+
btn.innerHTML = '<span class="loading loading-spinner loading-xs"></span> Saving...';
360
+
361
+
var form = new FormData();
362
+
form.append('did', ownerDID);
363
+
form.append('repository', repoName);
364
+
form.append('description', textarea.value);
365
+
366
+
fetch('/api/repo-page', {
367
+
method: 'POST',
368
+
body: form,
369
+
headers: { 'HX-Request': 'true' }
370
+
})
371
+
.then(function(r) {
372
+
if (!r.ok) return r.text().then(function(t) { throw new Error(t); });
373
+
return r.text();
374
+
})
375
+
.then(function(html) {
376
+
document.getElementById('overview-rendered').innerHTML = html;
377
+
toggleOverviewEditor(false);
378
+
if (typeof showToast === 'function') showToast('Overview saved', 'success');
379
+
})
380
+
.catch(function(err) {
381
+
if (typeof showToast === 'function') showToast(err.message || 'Failed to save', 'error');
382
+
})
383
+
.finally(function() {
384
+
btn.classList.remove('btn-disabled');
385
+
btn.innerHTML = 'Save';
386
+
});
387
+
};
388
+
389
+
// Ctrl+S / Cmd+S to save
390
+
textarea.addEventListener('keydown', function(e) {
391
+
if ((e.ctrlKey || e.metaKey) && e.key === 's') {
392
+
e.preventDefault();
393
+
saveOverview();
394
+
}
395
+
});
396
+
})();
397
+
</script>
398
+
{{ end }}
399
+
400
+
<script>
401
+
// Global helpers (tags sort/filter)
402
+
window.sortTags = function(method) {
403
+
var container = document.getElementById('tags-list');
404
+
if (!container) return;
405
+
var entries = Array.from(container.querySelectorAll('.artifact-entry'));
406
+
entries.sort(function(a, b) {
407
+
switch (method) {
408
+
case 'oldest': return parseInt(a.dataset.created) - parseInt(b.dataset.created);
409
+
case 'az': return a.dataset.tag.localeCompare(b.dataset.tag);
410
+
case 'za': return b.dataset.tag.localeCompare(a.dataset.tag);
411
+
default: return parseInt(b.dataset.created) - parseInt(a.dataset.created);
412
+
}
413
+
});
414
+
entries.forEach(function(el) { container.appendChild(el); });
415
+
};
416
+
417
+
window.filterTags = function(query) {
418
+
var q = query.toLowerCase();
419
+
document.querySelectorAll('#tags-list .artifact-entry').forEach(function(el) {
420
+
el.style.display = (!q || el.dataset.tag.toLowerCase().includes(q)) ? '' : 'none';
421
+
});
422
+
};
423
+
424
+
// Tab controller — reads config from #tag-content data attributes.
425
+
// Re-runs on initial load and after every HTMX swap of #tag-content.
426
+
(function() {
427
+
var validTabs = ['overview', 'layers', 'vulns', 'sbom', 'artifacts'];
428
+
var loaded = {};
429
+
430
+
function lazyLoad(id, url) {
431
+
if (loaded[id]) return;
432
+
loaded[id] = true;
433
+
var target = document.getElementById(id);
434
+
if (!target) return;
435
+
fetch(url)
425
436
.then(function(r) { return r.text(); })
426
437
.then(function(html) {
427
438
target.innerHTML = html;
428
-
htmx.process(target);
439
+
// innerHTML doesn't execute <script> tags — re-create them
440
+
target.querySelectorAll('script').forEach(function(old) {
441
+
var s = document.createElement('script');
442
+
s.textContent = old.textContent;
443
+
old.parentNode.replaceChild(s, old);
444
+
});
445
+
if (typeof htmx !== 'undefined') htmx.process(target);
429
446
});
430
447
}
431
448
449
+
function contentUrl(section) {
450
+
var el = document.getElementById('tag-content');
451
+
if (!el) return null;
452
+
var owner = el.dataset.owner;
453
+
var repo = el.dataset.repo;
454
+
var digest = el.dataset.digest;
455
+
if (!digest) return null;
456
+
return '/api/digest-content/' + owner + '/' + repo + '?digest=' + encodeURIComponent(digest) + '§ion=' + section;
457
+
}
458
+
459
+
function tagsUrl() {
460
+
var el = document.getElementById('tag-content');
461
+
if (!el) return null;
462
+
return '/api/repo-tags/' + el.dataset.owner + '/' + el.dataset.repo;
463
+
}
464
+
432
465
window.switchRepoTab = function(tabId) {
433
-
document.querySelectorAll('.repo-panel').forEach(function(p) {
466
+
window._activeRepoTab = tabId;
467
+
var section = document.getElementById('tag-content');
468
+
if (!section) return;
469
+
470
+
section.querySelectorAll('.repo-panel').forEach(function(p) {
434
471
p.classList.add('hidden');
435
472
});
436
473
var panel = document.getElementById('tab-' + tabId);
437
474
if (panel) panel.classList.remove('hidden');
438
475
439
-
document.querySelectorAll('.repo-tab').forEach(function(tab) {
476
+
section.querySelectorAll('.repo-tab').forEach(function(tab) {
440
477
if (tab.dataset.tab === tabId) {
441
478
tab.classList.add('border-primary', 'text-primary');
442
-
tab.classList.remove('border-transparent', 'text-base-content/60', 'hover:text-base-content');
479
+
tab.classList.remove('border-transparent', 'text-base-content/60');
443
480
} else {
444
481
tab.classList.remove('border-primary', 'text-primary');
445
-
tab.classList.add('border-transparent', 'text-base-content/60', 'hover:text-base-content');
482
+
tab.classList.add('border-transparent', 'text-base-content/60');
446
483
}
447
484
});
448
485
449
-
history.replaceState(null, '', '#' + tabId);
450
-
if (tabId === 'artifacts') loadTags();
486
+
var url = new URL(window.location);
487
+
url.hash = tabId;
488
+
history.replaceState(null, '', url.toString());
489
+
490
+
if (tabId === 'artifacts') { var u = tagsUrl(); if (u) lazyLoad('artifacts-content', u); }
491
+
if (tabId === 'layers') { var u = contentUrl('layers'); if (u) lazyLoad('layers-content', u); }
492
+
if (tabId === 'vulns') { var u = contentUrl('vulns'); if (u) lazyLoad('vulns-content', u); }
493
+
if (tabId === 'sbom') { var u = contentUrl('sbom'); if (u) lazyLoad('sbom-content', u); }
451
494
};
452
495
453
-
window.sortTags = function(method) {
454
-
var container = document.getElementById('tags-list');
455
-
if (!container) return;
456
-
var entries = Array.from(container.querySelectorAll('.artifact-entry'));
457
-
entries.sort(function(a, b) {
458
-
switch (method) {
459
-
case 'oldest': return parseInt(a.dataset.created) - parseInt(b.dataset.created);
460
-
case 'az': return a.dataset.tag.localeCompare(b.dataset.tag);
461
-
case 'za': return b.dataset.tag.localeCompare(a.dataset.tag);
462
-
default: return parseInt(b.dataset.created) - parseInt(a.dataset.created);
463
-
}
464
-
});
465
-
entries.forEach(function(el) { container.appendChild(el); });
466
-
};
496
+
function initTabs() {
497
+
// Reset lazy-load tracking (new tag = new content)
498
+
loaded = {};
499
+
500
+
// Prefetch on hover
501
+
var tagsBtn = document.getElementById('artifacts-tab-btn');
502
+
if (tagsBtn) tagsBtn.addEventListener('mouseenter', function() { var u = tagsUrl(); if (u) lazyLoad('artifacts-content', u); }, { once: true });
503
+
var layersBtn = document.getElementById('layers-tab-btn');
504
+
if (layersBtn) layersBtn.addEventListener('mouseenter', function() { var u = contentUrl('layers'); if (u) lazyLoad('layers-content', u); }, { once: true });
505
+
var vulnsBtn = document.getElementById('vulns-tab-btn');
506
+
if (vulnsBtn) vulnsBtn.addEventListener('mouseenter', function() { var u = contentUrl('vulns'); if (u) lazyLoad('vulns-content', u); }, { once: true });
507
+
var sbomBtn = document.getElementById('sbom-tab-btn');
508
+
if (sbomBtn) sbomBtn.addEventListener('mouseenter', function() { var u = contentUrl('sbom'); if (u) lazyLoad('sbom-content', u); }, { once: true });
509
+
510
+
// Pick tab: persisted > hash > default
511
+
var initTab = window._activeRepoTab || window.location.hash.replace('#', '') || 'overview';
512
+
if (validTabs.indexOf(initTab) === -1) initTab = 'overview';
513
+
switchRepoTab(initTab);
514
+
}
467
515
468
-
window.filterTags = function(query) {
469
-
var q = query.toLowerCase();
470
-
document.querySelectorAll('#tags-list .artifact-entry').forEach(function(el) {
471
-
el.style.display = (!q || el.dataset.tag.toLowerCase().includes(q)) ? '' : 'none';
472
-
});
473
-
};
516
+
// Run on initial page load
517
+
initTabs();
474
518
475
-
// Prefetch on hover
476
-
document.getElementById('artifacts-tab-btn').addEventListener('mouseenter', loadTags, { once: true });
519
+
// Keyboard shortcuts: first letter of each tab name
520
+
document.addEventListener('keydown', function(e) {
521
+
if (e.target.tagName === 'INPUT' || e.target.tagName === 'TEXTAREA' ||
522
+
e.target.tagName === 'SELECT' || e.target.isContentEditable) return;
523
+
if (e.ctrlKey || e.metaKey || e.altKey) return;
524
+
var map = { o: 'overview', l: 'layers', v: 'vulns', s: 'sbom', a: 'artifacts' };
525
+
var tab = map[e.key.toLowerCase()];
526
+
if (tab && validTabs.indexOf(tab) !== -1) switchRepoTab(tab);
527
+
});
477
528
478
-
// Initialize tab from hash
479
-
var hash = window.location.hash.replace('#', '') || 'overview';
480
-
if (validTabs.indexOf(hash) === -1) hash = 'overview';
481
-
switchRepoTab(hash);
529
+
// Re-run after HTMX swaps tag section content (tag dropdown change)
530
+
document.body.addEventListener('htmx:afterSettle', function(evt) {
531
+
if (evt.detail.target && evt.detail.target.id === 'tag-content') {
532
+
initTabs();
533
+
}
534
+
});
482
535
})();
483
536
</script>
484
537
+37
-3
pkg/appview/templates/pages/settings.html
+37
-3
pkg/appview/templates/pages/settings.html
···
22
22
<button class="btn btn-sm btn-ghost settings-tab-mobile" data-tab="user">
23
23
{{ icon "user" "size-4" }} User
24
24
</button>
25
+
<button class="btn btn-sm btn-ghost settings-tab-mobile" data-tab="billing">
26
+
{{ icon "credit-card" "size-4" }} Billing
27
+
</button>
25
28
<button class="btn btn-sm btn-ghost settings-tab-mobile" data-tab="storage">
26
29
{{ icon "hard-drive" "size-4" }} Storage
27
30
</button>
···
41
44
<aside class="hidden lg:block w-56 shrink-0">
42
45
<ul class="menu bg-base-200 rounded-box w-full">
43
46
<li data-tab="user"><a href="#user">{{ icon "user" "size-4" }} User</a></li>
47
+
<li data-tab="billing"><a href="#billing">{{ icon "credit-card" "size-4" }} Billing</a></li>
44
48
<li data-tab="storage"><a href="#storage">{{ icon "hard-drive" "size-4" }} Storage</a></li>
45
49
<li data-tab="devices"><a href="#devices">{{ icon "terminal" "size-4" }} Devices</a></li>
46
50
<li data-tab="webhooks"><a href="#webhooks">{{ icon "webhook" "size-4" }} Webhooks</a></li>
···
79
83
<option value="crane"{{ if eq $oci "crane" }} selected{{ end }}>crane</option>
80
84
</select>
81
85
</div>
86
+
87
+
<!-- AI Image Advisor Toggle -->
88
+
{{ if .AIAdvisorEnabled }}
89
+
<div class="divider my-2"></div>
90
+
<div class="flex items-start gap-3">
91
+
{{ if .Profile.HasAIAdvisorAccess }}
92
+
<label class="flex items-start gap-3 cursor-pointer">
93
+
<input type="checkbox" class="toggle toggle-primary mt-0.5"
94
+
hx-post="/api/profile/ai-advisor"
95
+
hx-trigger="change"
96
+
hx-swap="none"
97
+
{{ if .Profile.AIAdvisorEnabled }}checked{{ end }}>
98
+
<div>
99
+
<span class="font-medium">AI Image Advisor</span>
100
+
<p class="text-xs text-base-content/60">Analyze your container images for optimization suggestions using AI.</p>
101
+
</div>
102
+
</label>
103
+
{{ else }}
104
+
<div>
105
+
<span class="font-medium text-base-content/50">AI Image Advisor</span>
106
+
<p class="text-xs text-base-content/50">Analyze your container images for optimization suggestions using AI.</p>
107
+
<p class="text-xs text-primary mt-1">
108
+
<a href="/settings#billing" onclick="switchSettingsTab('billing')">Upgrade your plan</a> to enable this feature.
109
+
</p>
110
+
</div>
111
+
{{ end }}
112
+
</div>
113
+
{{ end }}
82
114
</section>
83
115
</div>
84
116
85
117
<!-- STORAGE TAB -->
86
118
<div id="tab-storage" class="settings-panel hidden space-y-4">
87
-
<!-- Available Plans -->
88
-
{{ template "subscription_plans" .Subscription }}
89
-
90
119
<!-- Holds -->
91
120
{{ if .AllHolds }}
92
121
<div class="grid grid-cols-1 lg:grid-cols-2 gap-4">
···
130
159
</div>
131
160
</label>
132
161
</section>
162
+
</div>
163
+
164
+
<!-- BILLING TAB -->
165
+
<div id="tab-billing" class="settings-panel hidden space-y-4">
166
+
{{ template "subscription_plans" .Subscription }}
133
167
</div>
134
168
135
169
<!-- DEVICES TAB -->
+2
-2
pkg/appview/templates/partials/digest-content.html
+2
-2
pkg/appview/templates/partials/digest-content.html
···
37
37
</div>
38
38
<script>
39
39
(function() {
40
-
var showEmpty = localStorage.getItem('showEmptyLayers') !== 'false';
40
+
var showEmpty = localStorage.getItem('showEmptyLayers') === 'true';
41
41
document.querySelectorAll('.show-empty-layers-cb').forEach(function(cb) { cb.checked = showEmpty; });
42
42
43
43
window.toggleEmptyLayers = function(show) {
···
105
105
}
106
106
107
107
function applyLayerVisibility() {
108
-
var show = localStorage.getItem('showEmptyLayers') !== 'false';
108
+
var show = localStorage.getItem('showEmptyLayers') === 'true';
109
109
document.querySelectorAll('.layers-table tr[data-empty="true"]').forEach(function(row) {
110
110
row.style.display = show ? '' : 'none';
111
111
});
+75
pkg/appview/templates/partials/image-advisor-results.html
+75
pkg/appview/templates/partials/image-advisor-results.html
···
1
+
{{ define "image-advisor-results" }}
2
+
{{ if eq .Error "upgrade_required" }}
3
+
<div class="alert alert-info text-sm">
4
+
{{ icon "sparkles" "size-4" }}
5
+
<span>AI Image Advisor is a paid feature. <a href="/settings#billing" class="link link-primary font-medium">Upgrade your plan</a> to unlock image analysis.</span>
6
+
</div>
7
+
{{ else if .Error }}
8
+
<div class="alert alert-warning text-sm">
9
+
{{ icon "alert-triangle" "size-4" }}
10
+
<span>{{ .Error }}</span>
11
+
</div>
12
+
{{ else if .Suggestions }}
13
+
<div class="card bg-base-100 shadow-sm border border-base-300">
14
+
<div class="card-body p-4 space-y-3">
15
+
<h3 class="text-sm font-semibold flex items-center gap-2">
16
+
{{ icon "sparkle" "size-4" }}
17
+
AI Suggestions ({{ len .Suggestions }})
18
+
</h3>
19
+
<div class="overflow-x-auto">
20
+
<table class="table table-xs w-full">
21
+
<thead>
22
+
<tr>
23
+
<th>Action</th>
24
+
<th>Category</th>
25
+
<th>Impact</th>
26
+
<th>Effort</th>
27
+
<th class="w-1/2">Detail</th>
28
+
</tr>
29
+
</thead>
30
+
<tbody>
31
+
{{ range .Suggestions }}
32
+
<tr>
33
+
<td class="font-medium text-sm">{{ .Action }}</td>
34
+
<td>
35
+
<span class="badge badge-sm badge-ghost whitespace-nowrap">{{ .Category }}</span>
36
+
</td>
37
+
<td>
38
+
{{ if eq .Impact "high" }}
39
+
<span class="badge badge-sm badge-error">high</span>
40
+
{{ else if eq .Impact "medium" }}
41
+
<span class="badge badge-sm badge-warning">medium</span>
42
+
{{ else }}
43
+
<span class="badge badge-sm badge-info">low</span>
44
+
{{ end }}
45
+
</td>
46
+
<td>
47
+
{{ if eq .Effort "low" }}
48
+
<span class="badge badge-sm badge-success">low</span>
49
+
{{ else if eq .Effort "medium" }}
50
+
<span class="badge badge-sm badge-warning">medium</span>
51
+
{{ else }}
52
+
<span class="badge badge-sm badge-ghost">high</span>
53
+
{{ end }}
54
+
</td>
55
+
<td class="text-xs max-w-xs">
56
+
{{ .Detail }}
57
+
{{ if gt .CVEsFixed 0 }}
58
+
<span class="badge badge-xs badge-outline badge-error ml-1">{{ .CVEsFixed }} CVEs</span>
59
+
{{ end }}
60
+
{{ if gt .SizeSavedMB 0 }}
61
+
<span class="badge badge-xs badge-outline badge-info ml-1">-{{ .SizeSavedMB }}MB</span>
62
+
{{ end }}
63
+
</td>
64
+
</tr>
65
+
{{ end }}
66
+
</tbody>
67
+
</table>
68
+
</div>
69
+
<p class="text-xs opacity-50">Generated by Claude Haiku. Suggestions are advisory only.</p>
70
+
</div>
71
+
</div>
72
+
{{ else }}
73
+
<p class="text-sm opacity-60">No suggestions generated.</p>
74
+
{{ end }}
75
+
{{ end }}
+119
pkg/appview/templates/partials/layers-section.html
+119
pkg/appview/templates/partials/layers-section.html
···
1
+
{{ define "layers-section" }}
2
+
<div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4 min-w-0">
3
+
<div class="flex items-center justify-between">
4
+
<h2 class="text-lg font-semibold">Layers ({{ len .Layers }})</h2>
5
+
<label class="flex items-center gap-2 text-sm cursor-pointer">
6
+
<input type="checkbox" class="checkbox checkbox-xs show-empty-layers-cb" onchange="toggleEmptyLayers(this.checked)">
7
+
<span>Show empty layers</span>
8
+
</label>
9
+
</div>
10
+
{{ if .Layers }}
11
+
<div class="overflow-x-auto">
12
+
<table class="table table-xs w-full layers-table">
13
+
<thead>
14
+
<tr class="text-xs">
15
+
<th class="w-8">#</th>
16
+
<th>Command</th>
17
+
<th class="text-right w-24">Size</th>
18
+
</tr>
19
+
</thead>
20
+
<tbody>
21
+
{{ range .Layers }}
22
+
<tr data-empty="{{ .EmptyLayer }}" data-no-command="{{ and (not .Command) (not .EmptyLayer) }}">
23
+
<td class="font-mono text-xs">{{ .Index }}</td>
24
+
<td>
25
+
{{ if .Command }}
26
+
<code class="font-mono text-xs break-all line-clamp-2" title="{{ .Command }}">{{ .Command }}</code>
27
+
{{ end }}
28
+
</td>
29
+
<td class="text-right text-sm whitespace-nowrap">{{ humanizeBytes .Size }}</td>
30
+
</tr>
31
+
{{ end }}
32
+
</tbody>
33
+
</table>
34
+
</div>
35
+
<script>
36
+
(function() {
37
+
var showEmpty = localStorage.getItem('showEmptyLayers') === 'true';
38
+
document.querySelectorAll('.show-empty-layers-cb').forEach(function(cb) { cb.checked = showEmpty; });
39
+
40
+
window.toggleEmptyLayers = function(show) {
41
+
localStorage.setItem('showEmptyLayers', show);
42
+
document.querySelectorAll('.show-empty-layers-cb').forEach(function(cb) { cb.checked = show; });
43
+
applyLayerVisibility();
44
+
};
45
+
46
+
function collapseNoHistoryLayers() {
47
+
document.querySelectorAll('.layers-table').forEach(function(table) {
48
+
var tbody = table.querySelector('tbody');
49
+
if (!tbody) return;
50
+
51
+
var rows = Array.from(tbody.querySelectorAll('tr'));
52
+
var i = 0;
53
+
while (i < rows.length) {
54
+
if (rows[i].dataset.noCommand === 'true') {
55
+
var start = i;
56
+
while (i < rows.length && rows[i].dataset.noCommand === 'true') {
57
+
rows[i].classList.add('no-history-row', 'hidden');
58
+
i++;
59
+
}
60
+
var count = i - start;
61
+
if (count > 1) {
62
+
var totalBytes = 0;
63
+
for (var k = start; k < start + count; k++) {
64
+
var sizeCell = rows[k].querySelector('td:last-child');
65
+
if (sizeCell) {
66
+
var txt = sizeCell.textContent.trim();
67
+
var match = txt.match(/([\d.]+)\s*(B|KB|MB|GB|TB)/i);
68
+
if (match) {
69
+
var val = parseFloat(match[1]);
70
+
var unit = match[2].toUpperCase();
71
+
var multipliers = {'B':1,'KB':1024,'MB':1048576,'GB':1073741824,'TB':1099511627776};
72
+
totalBytes += val * (multipliers[unit] || 1);
73
+
}
74
+
}
75
+
}
76
+
var sizeStr = '';
77
+
if (totalBytes < 1024) sizeStr = totalBytes + ' B';
78
+
else if (totalBytes < 1048576) sizeStr = (totalBytes/1024).toFixed(1) + ' KB';
79
+
else if (totalBytes < 1073741824) sizeStr = (totalBytes/1048576).toFixed(1) + ' MB';
80
+
else sizeStr = (totalBytes/1073741824).toFixed(1) + ' GB';
81
+
82
+
var startIdx = rows[start].querySelector('td').textContent.trim();
83
+
var endIdx = rows[i - 1].querySelector('td').textContent.trim();
84
+
var summary = document.createElement('tr');
85
+
summary.className = 'no-history-summary cursor-pointer hover:bg-base-200';
86
+
summary.innerHTML = '<td colspan="2" class="text-sm py-2">Layers ' + startIdx + '-' + endIdx + ' contain no history <span class="text-xs ml-2">(' + count + ' layers, click to expand)</span></td><td class="text-right text-sm whitespace-nowrap">' + sizeStr + '</td>';
87
+
summary.onclick = function() {
88
+
summary.remove();
89
+
for (var j = start; j < start + count; j++) {
90
+
rows[j].classList.remove('hidden');
91
+
}
92
+
};
93
+
tbody.insertBefore(summary, rows[start]);
94
+
} else {
95
+
rows[start].classList.remove('hidden');
96
+
}
97
+
} else {
98
+
i++;
99
+
}
100
+
}
101
+
});
102
+
}
103
+
104
+
function applyLayerVisibility() {
105
+
var show = localStorage.getItem('showEmptyLayers') === 'true';
106
+
document.querySelectorAll('.layers-table tr[data-empty="true"]').forEach(function(row) {
107
+
row.style.display = show ? '' : 'none';
108
+
});
109
+
}
110
+
111
+
collapseNoHistoryLayers();
112
+
applyLayerVisibility();
113
+
})();
114
+
</script>
115
+
{{ else }}
116
+
<p class="text-base-content">No layer information available</p>
117
+
{{ end }}
118
+
</div>
119
+
{{ end }}
+210
pkg/appview/templates/partials/repo-tag-section.html
+210
pkg/appview/templates/partials/repo-tag-section.html
···
1
+
{{ define "repo-tag-section" }}
2
+
<div id="tag-content" data-owner="{{ .Owner.Handle }}" data-repo="{{ .Repository.Name }}"{{ if .SelectedTag }} data-digest="{{ if .SelectedTag.Info.IsMultiArch }}{{ (index .SelectedTag.Info.Platforms 0).Digest }}{{ else }}{{ .SelectedTag.Info.Digest }}{{ end }}"{{ end }}>
3
+
{{ if .SelectedTag }}
4
+
<!-- Pull Command with Client Switcher -->
5
+
{{ template "pull-command-switcher" (dict "RegistryURL" .RegistryURL "OwnerHandle" .Owner.Handle "RepoName" .Repository.Name "Tag" .SelectedTag.Info.Tag.Tag "ArtifactType" .ArtifactType "OciClient" .OciClient "IsLoggedIn" (ne .User nil)) }}
6
+
7
+
<!-- Stats Cards -->
8
+
<div class="grid grid-cols-1 sm:grid-cols-3 gap-4 mt-4">
9
+
<!-- Size & Layers -->
10
+
<div class="card bg-base-100 border border-base-300 p-4">
11
+
<div class="flex items-center justify-between mb-2">
12
+
<span class="text-xs font-semibold uppercase tracking-wider text-base-content/50">Image Size</span>
13
+
<span class="text-xs font-semibold uppercase tracking-wider text-base-content/50">Layers</span>
14
+
</div>
15
+
<div class="flex items-center justify-between">
16
+
<span class="text-lg font-bold">{{ humanizeBytes .SelectedTag.CompressedSize }}</span>
17
+
<span class="text-lg font-bold">{{ .SelectedTag.LayerCount }}</span>
18
+
</div>
19
+
<div class="text-xs text-base-content/50 mt-1">
20
+
Pushed {{ timeAgoShort .SelectedTag.Info.CreatedAt }}
21
+
</div>
22
+
</div>
23
+
24
+
<!-- Vulnerabilities (first platform only for summary) -->
25
+
<div class="card bg-base-100 border border-base-300 p-4">
26
+
<div class="text-xs font-semibold uppercase tracking-wider text-base-content/50 mb-2">Vulnerabilities</div>
27
+
<div id="vuln-summary-card">
28
+
{{ $firstPlatform := index .SelectedTag.Info.Platforms 0 }}
29
+
<span id="scan-badge-{{ trimPrefix "sha256:" $firstPlatform.Digest }}"></span>
30
+
<span id="vuln-loading-text" class="text-sm text-base-content/40">Loading...</span>
31
+
</div>
32
+
</div>
33
+
34
+
<!-- Pulls -->
35
+
<div class="card bg-base-100 border border-base-300 p-4">
36
+
<div class="flex items-center justify-between mb-2">
37
+
<span class="text-xs font-semibold uppercase tracking-wider text-base-content/50">Pulls</span>
38
+
</div>
39
+
<div class="text-lg font-bold">{{ .Stats.PullCount }} <span class="text-sm font-normal text-base-content/50">total</span></div>
40
+
<div class="text-xs text-base-content/50 mt-1">
41
+
{{ if .Stats.LastPull }}Last pull {{ timeAgoShort (derefTime .Stats.LastPull) }}{{ else }}No pulls yet{{ end }}
42
+
</div>
43
+
</div>
44
+
</div>
45
+
46
+
<!-- Scan batch triggers for selected tag -->
47
+
{{ range .SelectedTag.ScanBatchParams }}
48
+
<div hx-get="/api/scan-results?{{ . }}"
49
+
hx-trigger="load delay:500ms"
50
+
hx-swap="none"
51
+
hx-on::after-request="var el=document.getElementById('vuln-loading-text');if(el)el.remove()"
52
+
style="display:none"></div>
53
+
{{ end }}
54
+
55
+
{{ else }}
56
+
<!-- No tags exist -->
57
+
<div class="text-center py-8 text-base-content/60">
58
+
<p class="text-lg">No tags yet</p>
59
+
<p class="text-sm mt-1">Push an image to get started.</p>
60
+
</div>
61
+
{{ end }}
62
+
63
+
<!-- Tab Navigation -->
64
+
<div class="border-b border-base-300 mt-6">
65
+
<nav class="flex gap-0" role="tablist">
66
+
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 border-transparent text-base-content/60 transition-colors cursor-pointer"
67
+
data-tab="overview"
68
+
role="tab"
69
+
onclick="switchRepoTab('overview')">
70
+
Overview
71
+
</button>
72
+
{{ if .SelectedTag }}
73
+
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 border-transparent text-base-content/60 transition-colors cursor-pointer"
74
+
data-tab="layers"
75
+
role="tab"
76
+
id="layers-tab-btn"
77
+
onclick="switchRepoTab('layers')">
78
+
Layers
79
+
</button>
80
+
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 border-transparent text-base-content/60 transition-colors cursor-pointer"
81
+
data-tab="vulns"
82
+
role="tab"
83
+
id="vulns-tab-btn"
84
+
onclick="switchRepoTab('vulns')">
85
+
Vulnerabilities
86
+
</button>
87
+
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 border-transparent text-base-content/60 transition-colors cursor-pointer"
88
+
data-tab="sbom"
89
+
role="tab"
90
+
id="sbom-tab-btn"
91
+
onclick="switchRepoTab('sbom')">
92
+
SBOM
93
+
</button>
94
+
{{ end }}
95
+
<button class="repo-tab px-6 py-3 text-sm font-medium border-b-2 border-transparent text-base-content/60 transition-colors cursor-pointer"
96
+
data-tab="artifacts"
97
+
role="tab"
98
+
id="artifacts-tab-btn"
99
+
onclick="switchRepoTab('artifacts')">
100
+
Artifacts
101
+
</button>
102
+
{{ if and .SelectedTag (gt (len .AllTags) 1) }}
103
+
<div class="ml-auto flex items-center">
104
+
<div class="dropdown dropdown-end">
105
+
<label tabindex="0" class="btn btn-ghost btn-sm gap-1">
106
+
{{ icon "git-compare" "size-4" }} Diff
107
+
</label>
108
+
<ul tabindex="0" class="dropdown-content menu bg-base-200 rounded-box z-10 w-56 p-2 shadow max-h-60 overflow-y-auto">
109
+
{{ range .AllTags }}
110
+
{{ if ne . $.SelectedTag.Info.Tag.Tag }}
111
+
<li><a href="/diff/{{ $.Owner.Handle }}/{{ $.Repository.Name }}?from={{ $.SelectedTag.Info.Digest }}&to={{ . }}">{{ . }}</a></li>
112
+
{{ end }}
113
+
{{ end }}
114
+
</ul>
115
+
</div>
116
+
</div>
117
+
{{ end }}
118
+
</nav>
119
+
</div>
120
+
121
+
<!-- Tab Panels -->
122
+
<div id="tab-overview" class="repo-panel">
123
+
<div id="overview-view" class="card bg-base-100 shadow-sm p-6 space-y-4 min-w-0">
124
+
{{ if and .AIAdvisorEnabled .User .IsOwner .SelectedTag }}
125
+
<div id="ai-advisor-section">
126
+
<button id="ai-advisor-btn" class="btn btn-sm btn-outline gap-1"
127
+
hx-get="/api/image-advisor/{{ .Owner.Handle }}/{{ .Repository.Name }}?digest={{ if .SelectedTag.Info.IsMultiArch }}{{ (index .SelectedTag.Info.Platforms 0).Digest }}{{ else }}{{ .SelectedTag.Info.Digest }}{{ end }}"
128
+
hx-target="#ai-advisor-results"
129
+
hx-swap="innerHTML"
130
+
hx-indicator="#ai-advisor-spinner"
131
+
hx-on::after-request="this.disabled=true">
132
+
{{ icon "sparkles" "size-4" }}
133
+
Analyze Image
134
+
</button>
135
+
<span id="ai-advisor-spinner" class="htmx-indicator">
136
+
{{ icon "loader" "size-4 animate-spin" }}
137
+
</span>
138
+
<div id="ai-advisor-results" class="mt-4"></div>
139
+
</div>
140
+
{{ end }}
141
+
142
+
{{ if and .IsOwner .ReadmeHTML }}
143
+
<div class="flex justify-end">
144
+
<button class="btn btn-sm btn-ghost gap-1" onclick="toggleOverviewEditor(true)">
145
+
{{ icon "pencil" "size-4" }}
146
+
Edit
147
+
</button>
148
+
</div>
149
+
{{ end }}
150
+
151
+
<div id="overview-rendered" class="prose prose-sm max-w-none">
152
+
{{ if .ReadmeHTML }}
153
+
{{ .ReadmeHTML }}
154
+
{{ else }}
155
+
{{ if .IsOwner }}
156
+
<div class="text-center py-12">
157
+
{{ icon "file-text" "size-12 text-base-content/20 mx-auto" }}
158
+
<p class="text-base-content/60 mt-4">No README provided</p>
159
+
<p class="text-base-content/40 text-sm mt-1">Add a README to help users understand this image.</p>
160
+
<button class="btn btn-primary btn-sm mt-4" onclick="toggleOverviewEditor(true)">
161
+
{{ icon "pencil" "size-4" }} Add README
162
+
</button>
163
+
</div>
164
+
{{ else }}
165
+
<div class="text-center py-12">
166
+
{{ icon "file-text" "size-12 text-base-content/20 mx-auto" }}
167
+
<p class="text-base-content/60 mt-4">No README provided</p>
168
+
<p class="text-base-content/40 text-sm mt-1">Image metadata is shown above.</p>
169
+
</div>
170
+
{{ end }}
171
+
{{ end }}
172
+
</div>
173
+
</div>
174
+
</div>
175
+
176
+
{{ if .SelectedTag }}
177
+
<div id="tab-layers" class="repo-panel hidden">
178
+
<div id="layers-content">
179
+
<div class="flex justify-center py-12">
180
+
<span class="loading loading-spinner loading-lg"></span>
181
+
</div>
182
+
</div>
183
+
</div>
184
+
185
+
<div id="tab-vulns" class="repo-panel hidden">
186
+
<div id="vulns-content">
187
+
<div class="flex justify-center py-12">
188
+
<span class="loading loading-spinner loading-lg"></span>
189
+
</div>
190
+
</div>
191
+
</div>
192
+
193
+
<div id="tab-sbom" class="repo-panel hidden">
194
+
<div id="sbom-content">
195
+
<div class="flex justify-center py-12">
196
+
<span class="loading loading-spinner loading-lg"></span>
197
+
</div>
198
+
</div>
199
+
</div>
200
+
{{ end }}
201
+
202
+
<div id="tab-artifacts" class="repo-panel hidden">
203
+
<div id="artifacts-content">
204
+
<div class="flex justify-center py-12">
205
+
<span class="loading loading-spinner loading-lg"></span>
206
+
</div>
207
+
</div>
208
+
</div>
209
+
</div>
210
+
{{ end }}
+9
pkg/appview/templates/partials/sbom-section.html
+9
pkg/appview/templates/partials/sbom-section.html
···
1
+
{{ define "sbom-section" }}
2
+
<div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4 min-w-0">
3
+
{{ if .SbomData }}
4
+
{{ template "sbom-details" .SbomData }}
5
+
{{ else }}
6
+
<p class="text-base-content">No SBOM data available</p>
7
+
{{ end }}
8
+
</div>
9
+
{{ end }}
+9
pkg/appview/templates/partials/vulns-section.html
+9
pkg/appview/templates/partials/vulns-section.html
···
1
+
{{ define "vulns-section" }}
2
+
<div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4 min-w-0">
3
+
{{ if .VulnData }}
4
+
{{ template "vuln-details" .VulnData }}
5
+
{{ else }}
6
+
<p class="text-base-content">No vulnerability scan data available</p>
7
+
{{ end }}
8
+
</div>
9
+
{{ end }}
+7
pkg/appview/ui.go
+7
pkg/appview/ui.go
+332
pkg/atproto/cbor_gen.go
+332
pkg/atproto/cbor_gen.go
···
1843
1843
1844
1844
return nil
1845
1845
}
1846
+
func (t *DailyStatsRecord) MarshalCBOR(w io.Writer) error {
1847
+
if t == nil {
1848
+
_, err := w.Write(cbg.CborNull)
1849
+
return err
1850
+
}
1851
+
1852
+
cw := cbg.NewCborWriter(w)
1853
+
1854
+
if _, err := cw.Write([]byte{167}); err != nil {
1855
+
return err
1856
+
}
1857
+
1858
+
// t.Date (string) (string)
1859
+
if len("date") > 8192 {
1860
+
return xerrors.Errorf("Value in field \"date\" was too long")
1861
+
}
1862
+
1863
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("date"))); err != nil {
1864
+
return err
1865
+
}
1866
+
if _, err := cw.WriteString(string("date")); err != nil {
1867
+
return err
1868
+
}
1869
+
1870
+
if len(t.Date) > 8192 {
1871
+
return xerrors.Errorf("Value in field t.Date was too long")
1872
+
}
1873
+
1874
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Date))); err != nil {
1875
+
return err
1876
+
}
1877
+
if _, err := cw.WriteString(string(t.Date)); err != nil {
1878
+
return err
1879
+
}
1880
+
1881
+
// t.Type (string) (string)
1882
+
if len("$type") > 8192 {
1883
+
return xerrors.Errorf("Value in field \"$type\" was too long")
1884
+
}
1885
+
1886
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("$type"))); err != nil {
1887
+
return err
1888
+
}
1889
+
if _, err := cw.WriteString(string("$type")); err != nil {
1890
+
return err
1891
+
}
1892
+
1893
+
if len(t.Type) > 8192 {
1894
+
return xerrors.Errorf("Value in field t.Type was too long")
1895
+
}
1896
+
1897
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Type))); err != nil {
1898
+
return err
1899
+
}
1900
+
if _, err := cw.WriteString(string(t.Type)); err != nil {
1901
+
return err
1902
+
}
1903
+
1904
+
// t.OwnerDID (string) (string)
1905
+
if len("ownerDid") > 8192 {
1906
+
return xerrors.Errorf("Value in field \"ownerDid\" was too long")
1907
+
}
1908
+
1909
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("ownerDid"))); err != nil {
1910
+
return err
1911
+
}
1912
+
if _, err := cw.WriteString(string("ownerDid")); err != nil {
1913
+
return err
1914
+
}
1915
+
1916
+
if len(t.OwnerDID) > 8192 {
1917
+
return xerrors.Errorf("Value in field t.OwnerDID was too long")
1918
+
}
1919
+
1920
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.OwnerDID))); err != nil {
1921
+
return err
1922
+
}
1923
+
if _, err := cw.WriteString(string(t.OwnerDID)); err != nil {
1924
+
return err
1925
+
}
1926
+
1927
+
// t.PullCount (int64) (int64)
1928
+
if len("pullCount") > 8192 {
1929
+
return xerrors.Errorf("Value in field \"pullCount\" was too long")
1930
+
}
1931
+
1932
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("pullCount"))); err != nil {
1933
+
return err
1934
+
}
1935
+
if _, err := cw.WriteString(string("pullCount")); err != nil {
1936
+
return err
1937
+
}
1938
+
1939
+
if t.PullCount >= 0 {
1940
+
if err := cw.WriteMajorTypeHeader(cbg.MajUnsignedInt, uint64(t.PullCount)); err != nil {
1941
+
return err
1942
+
}
1943
+
} else {
1944
+
if err := cw.WriteMajorTypeHeader(cbg.MajNegativeInt, uint64(-t.PullCount-1)); err != nil {
1945
+
return err
1946
+
}
1947
+
}
1948
+
1949
+
// t.PushCount (int64) (int64)
1950
+
if len("pushCount") > 8192 {
1951
+
return xerrors.Errorf("Value in field \"pushCount\" was too long")
1952
+
}
1953
+
1954
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("pushCount"))); err != nil {
1955
+
return err
1956
+
}
1957
+
if _, err := cw.WriteString(string("pushCount")); err != nil {
1958
+
return err
1959
+
}
1960
+
1961
+
if t.PushCount >= 0 {
1962
+
if err := cw.WriteMajorTypeHeader(cbg.MajUnsignedInt, uint64(t.PushCount)); err != nil {
1963
+
return err
1964
+
}
1965
+
} else {
1966
+
if err := cw.WriteMajorTypeHeader(cbg.MajNegativeInt, uint64(-t.PushCount-1)); err != nil {
1967
+
return err
1968
+
}
1969
+
}
1970
+
1971
+
// t.UpdatedAt (string) (string)
1972
+
if len("updatedAt") > 8192 {
1973
+
return xerrors.Errorf("Value in field \"updatedAt\" was too long")
1974
+
}
1975
+
1976
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("updatedAt"))); err != nil {
1977
+
return err
1978
+
}
1979
+
if _, err := cw.WriteString(string("updatedAt")); err != nil {
1980
+
return err
1981
+
}
1982
+
1983
+
if len(t.UpdatedAt) > 8192 {
1984
+
return xerrors.Errorf("Value in field t.UpdatedAt was too long")
1985
+
}
1986
+
1987
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.UpdatedAt))); err != nil {
1988
+
return err
1989
+
}
1990
+
if _, err := cw.WriteString(string(t.UpdatedAt)); err != nil {
1991
+
return err
1992
+
}
1993
+
1994
+
// t.Repository (string) (string)
1995
+
if len("repository") > 8192 {
1996
+
return xerrors.Errorf("Value in field \"repository\" was too long")
1997
+
}
1998
+
1999
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("repository"))); err != nil {
2000
+
return err
2001
+
}
2002
+
if _, err := cw.WriteString(string("repository")); err != nil {
2003
+
return err
2004
+
}
2005
+
2006
+
if len(t.Repository) > 8192 {
2007
+
return xerrors.Errorf("Value in field t.Repository was too long")
2008
+
}
2009
+
2010
+
if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Repository))); err != nil {
2011
+
return err
2012
+
}
2013
+
if _, err := cw.WriteString(string(t.Repository)); err != nil {
2014
+
return err
2015
+
}
2016
+
return nil
2017
+
}
2018
+
2019
+
func (t *DailyStatsRecord) UnmarshalCBOR(r io.Reader) (err error) {
2020
+
*t = DailyStatsRecord{}
2021
+
2022
+
cr := cbg.NewCborReader(r)
2023
+
2024
+
maj, extra, err := cr.ReadHeader()
2025
+
if err != nil {
2026
+
return err
2027
+
}
2028
+
defer func() {
2029
+
if err == io.EOF {
2030
+
err = io.ErrUnexpectedEOF
2031
+
}
2032
+
}()
2033
+
2034
+
if maj != cbg.MajMap {
2035
+
return fmt.Errorf("cbor input should be of type map")
2036
+
}
2037
+
2038
+
if extra > cbg.MaxLength {
2039
+
return fmt.Errorf("DailyStatsRecord: map struct too large (%d)", extra)
2040
+
}
2041
+
2042
+
n := extra
2043
+
2044
+
nameBuf := make([]byte, 10)
2045
+
for i := uint64(0); i < n; i++ {
2046
+
nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 8192)
2047
+
if err != nil {
2048
+
return err
2049
+
}
2050
+
2051
+
if !ok {
2052
+
// Field doesn't exist on this type, so ignore it
2053
+
if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil {
2054
+
return err
2055
+
}
2056
+
continue
2057
+
}
2058
+
2059
+
switch string(nameBuf[:nameLen]) {
2060
+
// t.Date (string) (string)
2061
+
case "date":
2062
+
2063
+
{
2064
+
sval, err := cbg.ReadStringWithMax(cr, 8192)
2065
+
if err != nil {
2066
+
return err
2067
+
}
2068
+
2069
+
t.Date = string(sval)
2070
+
}
2071
+
// t.Type (string) (string)
2072
+
case "$type":
2073
+
2074
+
{
2075
+
sval, err := cbg.ReadStringWithMax(cr, 8192)
2076
+
if err != nil {
2077
+
return err
2078
+
}
2079
+
2080
+
t.Type = string(sval)
2081
+
}
2082
+
// t.OwnerDID (string) (string)
2083
+
case "ownerDid":
2084
+
2085
+
{
2086
+
sval, err := cbg.ReadStringWithMax(cr, 8192)
2087
+
if err != nil {
2088
+
return err
2089
+
}
2090
+
2091
+
t.OwnerDID = string(sval)
2092
+
}
2093
+
// t.PullCount (int64) (int64)
2094
+
case "pullCount":
2095
+
{
2096
+
maj, extra, err := cr.ReadHeader()
2097
+
if err != nil {
2098
+
return err
2099
+
}
2100
+
var extraI int64
2101
+
switch maj {
2102
+
case cbg.MajUnsignedInt:
2103
+
extraI = int64(extra)
2104
+
if extraI < 0 {
2105
+
return fmt.Errorf("int64 positive overflow")
2106
+
}
2107
+
case cbg.MajNegativeInt:
2108
+
extraI = int64(extra)
2109
+
if extraI < 0 {
2110
+
return fmt.Errorf("int64 negative overflow")
2111
+
}
2112
+
extraI = -1 - extraI
2113
+
default:
2114
+
return fmt.Errorf("wrong type for int64 field: %d", maj)
2115
+
}
2116
+
2117
+
t.PullCount = int64(extraI)
2118
+
}
2119
+
// t.PushCount (int64) (int64)
2120
+
case "pushCount":
2121
+
{
2122
+
maj, extra, err := cr.ReadHeader()
2123
+
if err != nil {
2124
+
return err
2125
+
}
2126
+
var extraI int64
2127
+
switch maj {
2128
+
case cbg.MajUnsignedInt:
2129
+
extraI = int64(extra)
2130
+
if extraI < 0 {
2131
+
return fmt.Errorf("int64 positive overflow")
2132
+
}
2133
+
case cbg.MajNegativeInt:
2134
+
extraI = int64(extra)
2135
+
if extraI < 0 {
2136
+
return fmt.Errorf("int64 negative overflow")
2137
+
}
2138
+
extraI = -1 - extraI
2139
+
default:
2140
+
return fmt.Errorf("wrong type for int64 field: %d", maj)
2141
+
}
2142
+
2143
+
t.PushCount = int64(extraI)
2144
+
}
2145
+
// t.UpdatedAt (string) (string)
2146
+
case "updatedAt":
2147
+
2148
+
{
2149
+
sval, err := cbg.ReadStringWithMax(cr, 8192)
2150
+
if err != nil {
2151
+
return err
2152
+
}
2153
+
2154
+
t.UpdatedAt = string(sval)
2155
+
}
2156
+
// t.Repository (string) (string)
2157
+
case "repository":
2158
+
2159
+
{
2160
+
sval, err := cbg.ReadStringWithMax(cr, 8192)
2161
+
if err != nil {
2162
+
return err
2163
+
}
2164
+
2165
+
t.Repository = string(sval)
2166
+
}
2167
+
2168
+
default:
2169
+
// Field doesn't exist on this type, so ignore it
2170
+
if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil {
2171
+
return err
2172
+
}
2173
+
}
2174
+
}
2175
+
2176
+
return nil
2177
+
}
1846
2178
func (t *ScanRecord) MarshalCBOR(w io.Writer) error {
1847
2179
if t == nil {
1848
2180
_, err := w.Write(cbg.CborNull)
+1
pkg/atproto/generate.go
+1
pkg/atproto/generate.go
+44
pkg/atproto/lexicon.go
+44
pkg/atproto/lexicon.go
···
44
44
// Stored in hold's embedded PDS to track pull/push counts per owner+repo
45
45
StatsCollection = "io.atcr.hold.stats"
46
46
47
+
// DailyStatsCollection is the collection name for daily repository statistics
48
+
// Stored in hold's embedded PDS to track daily pull/push counts per owner+repo+date
49
+
DailyStatsCollection = "io.atcr.hold.stats.daily"
50
+
47
51
// ScanCollection is the collection name for vulnerability scan results
48
52
// Stored in hold's embedded PDS to track scan results per manifest
49
53
ScanCollection = "io.atcr.hold.scan"
···
352
356
// OciClient is the preferred OCI client for pull commands (docker, podman, buildah, nerdctl, crane).
353
357
// Defaults to "docker" if empty.
354
358
OciClient string `json:"ociClient,omitempty"`
359
+
360
+
// AIAdvisorEnabled controls whether the AI Image Advisor feature is active for this user.
361
+
// nil = default (enabled if user has billing access), false = explicitly disabled.
362
+
AIAdvisorEnabled *bool `json:"aiAdvisorEnabled,omitempty"`
355
363
356
364
// CreatedAt timestamp
357
365
CreatedAt time.Time `json:"createdAt"`
···
772
780
hash := sha256.Sum256([]byte(combined))
773
781
// Use first 16 bytes (128 bits) for collision resistance
774
782
// Encode with base32 (alphanumeric, lowercase, no padding) for ATProto rkey compatibility
783
+
return strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(hash[:16]))
784
+
}
785
+
786
+
// DailyStatsRecord represents daily repository statistics stored in the hold's PDS
787
+
// Collection: io.atcr.hold.stats.daily
788
+
// Stored in the hold's embedded PDS for tracking daily pull/push counts
789
+
// Uses CBOR encoding for efficient storage in hold's carstore
790
+
// RKey is deterministic: base32(sha256(ownerDID + "/" + repository + "/" + date)[:16])
791
+
type DailyStatsRecord struct {
792
+
Type string `json:"$type" cborgen:"$type"`
793
+
OwnerDID string `json:"ownerDid" cborgen:"ownerDid"` // DID of the image owner
794
+
Repository string `json:"repository" cborgen:"repository"` // Repository name
795
+
Date string `json:"date" cborgen:"date"` // YYYY-MM-DD format
796
+
PullCount int64 `json:"pullCount" cborgen:"pullCount"` // Number of manifest downloads on this date
797
+
PushCount int64 `json:"pushCount" cborgen:"pushCount"` // Number of manifest uploads on this date
798
+
UpdatedAt string `json:"updatedAt" cborgen:"updatedAt"` // RFC3339 timestamp
799
+
}
800
+
801
+
// NewDailyStatsRecord creates a new daily stats record
802
+
func NewDailyStatsRecord(ownerDID, repository, date string) *DailyStatsRecord {
803
+
return &DailyStatsRecord{
804
+
Type: DailyStatsCollection,
805
+
OwnerDID: ownerDID,
806
+
Repository: repository,
807
+
Date: date,
808
+
PullCount: 0,
809
+
PushCount: 0,
810
+
UpdatedAt: time.Now().Format(time.RFC3339),
811
+
}
812
+
}
813
+
814
+
// DailyStatsRecordKey generates a deterministic record key for daily stats
815
+
// Uses base32 encoding of first 16 bytes of SHA-256 hash of "ownerDID/repository/date"
816
+
func DailyStatsRecordKey(ownerDID, repository, date string) string {
817
+
combined := ownerDID + "/" + repository + "/" + date
818
+
hash := sha256.Sum256([]byte(combined))
775
819
return strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(hash[:16]))
776
820
}
777
821
+32
pkg/billing/billing.go
+32
pkg/billing/billing.go
···
139
139
return m.cfg.Tiers[0].MaxWebhooks, m.cfg.Tiers[0].WebhookAllTriggers
140
140
}
141
141
142
+
// HasAIAdvisor returns whether a user has access to the AI Image Advisor based on their subscription tier.
143
+
// Hold captains always have access.
144
+
func (m *Manager) HasAIAdvisor(userDID string) bool {
145
+
if m.isCaptain(userDID) {
146
+
return true
147
+
}
148
+
if !m.Enabled() {
149
+
return false
150
+
}
151
+
152
+
info, err := m.GetSubscriptionInfo(userDID)
153
+
if err != nil || info == nil {
154
+
return m.cfg.Tiers[0].AIAdvisor
155
+
}
156
+
157
+
rank := info.TierRank
158
+
if rank >= 0 && rank < len(m.cfg.Tiers) {
159
+
return m.cfg.Tiers[rank].AIAdvisor
160
+
}
161
+
162
+
return m.cfg.Tiers[0].AIAdvisor
163
+
}
164
+
142
165
// GetSupporterBadge returns the supporter badge tier name for a user based on their subscription.
143
166
// Returns the tier name if the user's current tier has supporter badges enabled, empty string otherwise.
144
167
// Hold captains get a "Captain" badge.
···
203
226
// Dynamic features: hold-derived first, then webhook limits, then static config
204
227
features := m.aggregateHoldFeatures(i)
205
228
features = append(features, webhookFeatures(tier.MaxWebhooks, tier.WebhookAllTriggers)...)
229
+
features = append(features, aiAdvisorFeatures(tier.AIAdvisor)...)
206
230
if tier.SupporterBadge {
207
231
features = append(features, "Supporter badge")
208
232
}
···
687
711
features = append(features, "All webhook triggers")
688
712
}
689
713
return features
714
+
}
715
+
716
+
// aiAdvisorFeatures generates feature bullet strings for AI advisor access.
717
+
func aiAdvisorFeatures(enabled bool) []string {
718
+
if enabled {
719
+
return []string{"AI Image Advisor"}
720
+
}
721
+
return nil
690
722
}
691
723
692
724
// formatBytes formats bytes as a human-readable string (e.g. "5.0 GB").
+9
pkg/billing/billing_stub.go
+9
pkg/billing/billing_stub.go
···
36
36
return 1, false
37
37
}
38
38
39
+
// HasAIAdvisor returns whether a user has access to the AI Image Advisor.
40
+
// Hold captains always have access. Default is false when billing is not compiled in.
41
+
func (m *Manager) HasAIAdvisor(userDID string) bool {
42
+
if m.captainChecker != nil && userDID != "" && m.captainChecker(userDID) {
43
+
return true
44
+
}
45
+
return false
46
+
}
47
+
39
48
// GetSubscriptionInfo returns an error when billing is not compiled in.
40
49
func (m *Manager) GetSubscriptionInfo(_ string) (*SubscriptionInfo, error) {
41
50
return nil, ErrBillingDisabled
+3
pkg/billing/config.go
+3
pkg/billing/config.go
···
51
51
// Whether all webhook trigger types are available (not just first-scan).
52
52
WebhookAllTriggers bool `yaml:"webhook_all_triggers" comment:"Allow all webhook trigger types (not just first-scan)."`
53
53
54
+
// Whether AI Image Advisor is available for this tier.
55
+
AIAdvisor bool `yaml:"ai_advisor" comment:"Enable AI Image Advisor for this tier."`
56
+
54
57
// Whether this tier earns a supporter badge on user profiles.
55
58
SupporterBadge bool `yaml:"supporter_badge" comment:"Show supporter badge on user profiles for subscribers at this tier."`
56
59
}
+7
pkg/hold/admin/public/icons.svg
+7
pkg/hold/admin/public/icons.svg
···
7
7
<symbol id="arrow-left" viewBox="0 0 24 24"><path d="m12 19-7-7 7-7"/><path d="M19 12H5"/></symbol>
8
8
<symbol id="arrow-right" viewBox="0 0 24 24"><path d="M5 12h14"/><path d="m12 5 7 7-7 7"/></symbol>
9
9
<symbol id="bold" viewBox="0 0 24 24"><path d="M6 12h9a4 4 0 0 1 0 8H7a1 1 0 0 1-1-1V5a1 1 0 0 1 1-1h7a4 4 0 0 1 0 8"/></symbol>
10
+
<symbol id="book-open" viewBox="0 0 24 24"><path d="M12 7v14"/><path d="M3 18a1 1 0 0 1-1-1V4a1 1 0 0 1 1-1h5a4 4 0 0 1 4 4 4 4 0 0 1 4-4h5a1 1 0 0 1 1 1v13a1 1 0 0 1-1 1h-6a3 3 0 0 0-3 3 3 3 0 0 0-3-3z"/></symbol>
10
11
<symbol id="check" viewBox="0 0 24 24"><path d="M20 6 9 17l-5-5"/></symbol>
11
12
<symbol id="check-circle" viewBox="0 0 24 24"><path d="M21.801 10A10 10 0 1 1 17 3.335"/><path d="m9 11 3 3L22 4"/></symbol>
12
13
<symbol id="chevron-down" viewBox="0 0 24 24"><path d="m6 9 6 6 6-6"/></symbol>
···
18
19
<symbol id="container" viewBox="0 0 24 24"><path d="M22 7.7c0-.6-.4-1.2-.8-1.5l-6.3-3.9a1.72 1.72 0 0 0-1.7 0l-10.3 6c-.5.2-.9.8-.9 1.4v6.6c0 .5.4 1.2.8 1.5l6.3 3.9a1.72 1.72 0 0 0 1.7 0l10.3-6c.5-.3.9-1 .9-1.5Z"/><path d="M10 21.9V14L2.1 9.1"/><path d="m10 14 11.9-6.9"/><path d="M14 19.8v-8.1"/><path d="M18 17.5V9.4"/></symbol>
19
20
<symbol id="copy" viewBox="0 0 24 24"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"/><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"/></symbol>
20
21
<symbol id="cpu" viewBox="0 0 24 24"><path d="M12 20v2"/><path d="M12 2v2"/><path d="M17 20v2"/><path d="M17 2v2"/><path d="M2 12h2"/><path d="M2 17h2"/><path d="M2 7h2"/><path d="M20 12h2"/><path d="M20 17h2"/><path d="M20 7h2"/><path d="M7 20v2"/><path d="M7 2v2"/><rect x="4" y="4" width="16" height="16" rx="2"/><rect x="8" y="8" width="8" height="8" rx="1"/></symbol>
22
+
<symbol id="credit-card" viewBox="0 0 24 24"><rect width="20" height="14" x="2" y="5" rx="2"/><line x1="2" x2="22" y1="10" y2="10"/></symbol>
21
23
<symbol id="database" viewBox="0 0 24 24"><ellipse cx="12" cy="5" rx="9" ry="3"/><path d="M3 5V19A9 3 0 0 0 21 19V5"/><path d="M3 12A9 3 0 0 0 21 12"/></symbol>
22
24
<symbol id="download" viewBox="0 0 24 24"><path d="M12 15V3"/><path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4"/><path d="m7 10 5 5 5-5"/></symbol>
23
25
<symbol id="external-link" viewBox="0 0 24 24"><path d="M15 3h6v6"/><path d="M10 14 21 3"/><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"/></symbol>
24
26
<symbol id="eye" viewBox="0 0 24 24"><path d="M2.062 12.348a1 1 0 0 1 0-.696 10.75 10.75 0 0 1 19.876 0 1 1 0 0 1 0 .696 10.75 10.75 0 0 1-19.876 0"/><circle cx="12" cy="12" r="3"/></symbol>
25
27
<symbol id="file-plus" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="M9 15h6"/><path d="M12 18v-6"/></symbol>
28
+
<symbol id="file-text" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="M10 9H8"/><path d="M16 13H8"/><path d="M16 17H8"/></symbol>
26
29
<symbol id="file-x" viewBox="0 0 24 24"><path d="M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z"/><path d="M14 2v5a1 1 0 0 0 1 1h5"/><path d="m14.5 12.5-5 5"/><path d="m9.5 12.5 5 5"/></symbol>
27
30
<symbol id="fingerprint" viewBox="0 0 24 24"><path d="M12 10a2 2 0 0 0-2 2c0 1.02-.1 2.51-.26 4"/><path d="M14 13.12c0 2.38 0 6.38-1 8.88"/><path d="M17.29 21.02c.12-.6.43-2.3.5-3.02"/><path d="M2 12a10 10 0 0 1 18-6"/><path d="M2 16h.01"/><path d="M21.8 16c.2-2 .131-5.354 0-6"/><path d="M5 19.5C5.5 18 6 15 6 12a6 6 0 0 1 .34-2"/><path d="M8.65 22c.21-.66.45-1.32.57-2"/><path d="M9 6.8a6 6 0 0 1 9 5.2v2"/></symbol>
31
+
<symbol id="git-compare" viewBox="0 0 24 24"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M13 6h3a2 2 0 0 1 2 2v7"/><path d="M11 18H8a2 2 0 0 1-2-2V9"/></symbol>
28
32
<symbol id="git-merge" viewBox="0 0 24 24"><circle cx="18" cy="18" r="3"/><circle cx="6" cy="6" r="3"/><path d="M6 21V9a9 9 0 0 0 9 9"/></symbol>
29
33
<symbol id="github" viewBox="0 0 24 24"><path d="M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4"/><path d="M9 18c-4.51 2-5-2-7-2"/></symbol>
30
34
<symbol id="hard-drive" viewBox="0 0 24 24"><path d="M10 16h.01"/><path d="M2.212 11.577a2 2 0 0 0-.212.896V18a2 2 0 0 0 2 2h16a2 2 0 0 0 2-2v-5.527a2 2 0 0 0-.212-.896L18.55 5.11A2 2 0 0 0 16.76 4H7.24a2 2 0 0 0-1.79 1.11z"/><path d="M21.946 12.013H2.054"/><path d="M6 16h.01"/></symbol>
···
50
54
<symbol id="settings" viewBox="0 0 24 24"><path d="M9.671 4.136a2.34 2.34 0 0 1 4.659 0 2.34 2.34 0 0 0 3.319 1.915 2.34 2.34 0 0 1 2.33 4.033 2.34 2.34 0 0 0 0 3.831 2.34 2.34 0 0 1-2.33 4.033 2.34 2.34 0 0 0-3.319 1.915 2.34 2.34 0 0 1-4.659 0 2.34 2.34 0 0 0-3.32-1.915 2.34 2.34 0 0 1-2.33-4.033 2.34 2.34 0 0 0 0-3.831A2.34 2.34 0 0 1 6.35 6.051a2.34 2.34 0 0 0 3.319-1.915"/><circle cx="12" cy="12" r="3"/></symbol>
51
55
<symbol id="shield-check" viewBox="0 0 24 24"><path d="M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.67-.01C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.51 3.81 17 5 19 5a1 1 0 0 1 1 1z"/><path d="m9 12 2 2 4-4"/></symbol>
52
56
<symbol id="ship" viewBox="0 0 24 24"><path d="M12 10.189V14"/><path d="M12 2v3"/><path d="M19 13V7a2 2 0 0 0-2-2H7a2 2 0 0 0-2 2v6"/><path d="M19.38 20A11.6 11.6 0 0 0 21 14l-8.188-3.639a2 2 0 0 0-1.624 0L3 14a11.6 11.6 0 0 0 2.81 7.76"/><path d="M2 21c.6.5 1.2 1 2.5 1 2.5 0 2.5-2 5-2 1.3 0 1.9.5 2.5 1s1.2 1 2.5 1c2.5 0 2.5-2 5-2 1.3 0 1.9.5 2.5 1"/></symbol>
57
+
<symbol id="sparkle" viewBox="0 0 24 24"><path d="M11.017 2.814a1 1 0 0 1 1.966 0l1.051 5.558a2 2 0 0 0 1.594 1.594l5.558 1.051a1 1 0 0 1 0 1.966l-5.558 1.051a2 2 0 0 0-1.594 1.594l-1.051 5.558a1 1 0 0 1-1.966 0l-1.051-5.558a2 2 0 0 0-1.594-1.594l-5.558-1.051a1 1 0 0 1 0-1.966l5.558-1.051a2 2 0 0 0 1.594-1.594z"/></symbol>
58
+
<symbol id="sparkles" viewBox="0 0 24 24"><path d="M11.017 2.814a1 1 0 0 1 1.966 0l1.051 5.558a2 2 0 0 0 1.594 1.594l5.558 1.051a1 1 0 0 1 0 1.966l-5.558 1.051a2 2 0 0 0-1.594 1.594l-1.051 5.558a1 1 0 0 1-1.966 0l-1.051-5.558a2 2 0 0 0-1.594-1.594l-5.558-1.051a1 1 0 0 1 0-1.966l5.558-1.051a2 2 0 0 0 1.594-1.594z"/><path d="M20 2v4"/><path d="M22 4h-4"/><circle cx="4" cy="20" r="2"/></symbol>
53
59
<symbol id="star" viewBox="0 0 24 24"><path d="M11.525 2.295a.53.53 0 0 1 .95 0l2.31 4.679a2.123 2.123 0 0 0 1.595 1.16l5.166.756a.53.53 0 0 1 .294.904l-3.736 3.638a2.123 2.123 0 0 0-.611 1.878l.882 5.14a.53.53 0 0 1-.771.56l-4.618-2.428a2.122 2.122 0 0 0-1.973 0L6.396 21.01a.53.53 0 0 1-.77-.56l.881-5.139a2.122 2.122 0 0 0-.611-1.879L2.16 9.795a.53.53 0 0 1 .294-.906l5.165-.755a2.122 2.122 0 0 0 1.597-1.16z"/></symbol>
54
60
<symbol id="sun" viewBox="0 0 24 24"><circle cx="12" cy="12" r="4"/><path d="M12 2v2"/><path d="M12 20v2"/><path d="m4.93 4.93 1.41 1.41"/><path d="m17.66 17.66 1.41 1.41"/><path d="M2 12h2"/><path d="M20 12h2"/><path d="m6.34 17.66-1.41 1.41"/><path d="m19.07 4.93-1.41 1.41"/></symbol>
55
61
<symbol id="sun-moon" viewBox="0 0 24 24"><path d="M12 2v2"/><path d="M14.837 16.385a6 6 0 1 1-7.223-7.222c.624-.147.97.66.715 1.248a4 4 0 0 0 5.26 5.259c.589-.255 1.396.09 1.248.715"/><path d="M16 12a4 4 0 0 0-4-4"/><path d="m19 5-1.256 1.256"/><path d="M20 12h2"/></symbol>
62
+
<symbol id="tag" viewBox="0 0 24 24"><path d="M12.586 2.586A2 2 0 0 0 11.172 2H4a2 2 0 0 0-2 2v7.172a2 2 0 0 0 .586 1.414l8.704 8.704a2.426 2.426 0 0 0 3.42 0l6.58-6.58a2.426 2.426 0 0 0 0-3.42z"/><circle cx="7.5" cy="7.5" r=".5" fill="currentColor"/></symbol>
56
63
<symbol id="terminal" viewBox="0 0 24 24"><path d="M12 19h8"/><path d="m4 17 6-6-6-6"/></symbol>
57
64
<symbol id="trash-2" viewBox="0 0 24 24"><path d="M10 11v6"/><path d="M14 11v6"/><path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6"/><path d="M3 6h18"/><path d="M8 6V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"/></symbol>
58
65
<symbol id="triangle-alert" viewBox="0 0 24 24"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"/><path d="M12 9v4"/><path d="M12 17h.01"/></symbol>
+12
-2
pkg/hold/oci/xrpc.go
+12
-2
pkg/hold/oci/xrpc.go
···
227
227
Architecture string `json:"architecture"`
228
228
} `json:"platform"`
229
229
} `json:"manifests"`
230
+
Subject *struct {
231
+
Digest string `json:"digest"`
232
+
Size int64 `json:"size"`
233
+
MediaType string `json:"mediaType"`
234
+
} `json:"subject"`
230
235
} `json:"manifest"`
231
236
}
232
237
···
401
406
}
402
407
}
403
408
404
-
// Enqueue scan job if scanner is connected (skip manifest lists — children get their own jobs)
405
-
if h.scanBroadcaster != nil && !isMultiArch {
409
+
// Enqueue scan job if scanner is connected (skip manifest lists and attestations — no scannable content)
410
+
if h.scanBroadcaster != nil && !isMultiArch && req.Manifest.Subject == nil {
406
411
tier := "deckhand"
407
412
if stats != nil && stats.Tier != "" {
408
413
tier = stats.Tier
···
454
459
slog.Error("Failed to increment stats", "operation", operation, "error", err)
455
460
} else {
456
461
statsUpdated = true
462
+
}
463
+
464
+
// Also increment daily stats for trend tracking
465
+
if err := h.pds.IncrementDailyStats(ctx, req.UserDID, req.Repository, operation); err != nil {
466
+
slog.Warn("Failed to increment daily stats", "operation", operation, "error", err)
457
467
}
458
468
459
469
// Return response
+435
-177
pkg/hold/pds/scan_broadcaster.go
+435
-177
pkg/hold/pds/scan_broadcaster.go
···
41
41
rescanInterval time.Duration // Minimum interval between re-scans (0 = disabled)
42
42
stopCh chan struct{} // Signal to stop background goroutines
43
43
wg sync.WaitGroup // Wait for background goroutines to finish
44
-
userIdx int // Round-robin index through DIDs for proactive scanning
45
44
predecessorCache map[string]bool // holdDID → "has this hold been migrated (has successor)?"
45
+
relayEndpoint string // Relay URL for listReposByCollection
46
46
47
-
// Relay-based manifest DID discovery
48
-
relayEndpoint string // Relay URL for listReposByCollection
49
-
manifestDIDs []string // Cached list of DIDs with manifest records
50
-
manifestDIDsMu sync.RWMutex // Protects manifestDIDs
47
+
// Work queues for proactive scanning (populated by discovery/stale goroutines)
48
+
unscannedQueue chan *scanCandidate // Medium priority: manifests with no scan record
49
+
staleQueue chan *scanCandidate // Low priority: scan records older than rescanInterval
50
+
inflight map[string]struct{} // Manifest digests currently queued or being scanned
51
+
inflightMu sync.Mutex
52
+
completionSignal chan struct{} // Signaled when a scan job completes (wakes dispatchLoop)
53
+
discoverNow chan struct{} // Signaled to trigger an early discovery pass
51
54
}
52
55
53
56
// ScanSubscriber represents a connected scanner WebSocket client
···
139
142
stopCh: make(chan struct{}),
140
143
predecessorCache: make(map[string]bool),
141
144
relayEndpoint: relayEndpoint,
145
+
unscannedQueue: make(chan *scanCandidate, 500),
146
+
staleQueue: make(chan *scanCandidate, 200),
147
+
inflight: make(map[string]struct{}),
148
+
completionSignal: make(chan struct{}, 1),
149
+
discoverNow: make(chan struct{}, 1),
142
150
}
143
151
144
152
if err := sb.initSchema(); err != nil {
···
149
157
sb.wg.Add(1)
150
158
go sb.reDispatchLoop()
151
159
152
-
// Start proactive scan loop if rescan interval is configured
160
+
// Start proactive scan loops if rescan interval is configured
153
161
if rescanInterval > 0 {
154
-
sb.wg.Add(2)
155
-
go sb.proactiveScanLoop()
156
-
go sb.refreshManifestDIDsLoop()
162
+
sb.wg.Add(3)
163
+
go sb.discoveryLoop()
164
+
go sb.staleScanLoop()
165
+
go sb.dispatchLoop()
157
166
slog.Info("Proactive scan scheduler started", "rescanInterval", rescanInterval, "relayEndpoint", relayEndpoint)
158
167
}
159
168
···
181
190
stopCh: make(chan struct{}),
182
191
predecessorCache: make(map[string]bool),
183
192
relayEndpoint: relayEndpoint,
193
+
unscannedQueue: make(chan *scanCandidate, 500),
194
+
staleQueue: make(chan *scanCandidate, 200),
195
+
inflight: make(map[string]struct{}),
196
+
completionSignal: make(chan struct{}, 1),
197
+
discoverNow: make(chan struct{}, 1),
184
198
}
185
199
186
200
if err := sb.initSchema(); err != nil {
···
190
204
go sb.reDispatchLoop()
191
205
192
206
if rescanInterval > 0 {
193
-
sb.wg.Add(2)
194
-
go sb.proactiveScanLoop()
195
-
go sb.refreshManifestDIDsLoop()
207
+
sb.wg.Add(3)
208
+
go sb.discoveryLoop()
209
+
go sb.staleScanLoop()
210
+
go sb.dispatchLoop()
196
211
slog.Info("Proactive scan scheduler started", "rescanInterval", rescanInterval, "relayEndpoint", relayEndpoint)
197
212
}
198
213
···
238
253
job.HoldDID = sb.holdDID
239
254
job.HoldEndpoint = sb.holdEndpoint
240
255
256
+
// Track in-flight to prevent duplicate proactive scans
257
+
sb.addInflight(job.ManifestDigest)
258
+
241
259
// Insert into database
242
260
result, err := sb.db.Exec(`
243
261
INSERT INTO scan_jobs (manifest_digest, repository, tag, user_did, user_handle, hold_did, hold_endpoint, tier, config_json, layers_json, status)
244
262
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'pending')
245
263
`, job.ManifestDigest, job.Repository, job.Tag, job.UserDID, job.UserHandle, job.HoldDID, job.HoldEndpoint, job.Tier, string(job.Config), string(job.Layers))
246
264
if err != nil {
265
+
sb.removeInflight(job.ManifestDigest)
247
266
return fmt.Errorf("failed to insert scan job: %w", err)
248
267
}
249
268
250
269
seq, err := result.LastInsertId()
251
270
if err != nil {
271
+
sb.removeInflight(job.ManifestDigest)
252
272
return fmt.Errorf("failed to get job seq: %w", err)
253
273
}
254
274
job.Seq = seq
···
294
314
// Drain pending and timed-out jobs from database
295
315
go sb.drainPendingJobs(sub, cursor)
296
316
317
+
// Trigger early discovery pass so missed scans are found quickly
318
+
sb.triggerDiscovery()
319
+
297
320
return sub
298
321
}
299
322
···
309
332
}
310
333
}
311
334
312
-
// Mark assigned jobs as pending again so they can be re-dispatched
335
+
// Mark assigned/processing jobs as pending again so they can be re-dispatched.
336
+
// Including 'processing' handles scanner crashes mid-scan.
313
337
_, err := sb.db.Exec(`
314
338
UPDATE scan_jobs SET status = 'pending', assigned_to = NULL, assigned_at = NULL
315
-
WHERE assigned_to = ? AND status IN ('pending', 'assigned')
339
+
WHERE assigned_to = ? AND status IN ('pending', 'assigned', 'processing')
316
340
`, sub.id)
317
341
if err != nil {
318
342
slog.Error("Failed to unassign jobs from disconnected scanner",
···
542
566
"error", err)
543
567
}
544
568
569
+
// Remove from in-flight tracking and wake dispatch loop
570
+
sb.removeInflight(manifestDigest)
571
+
sb.signalCompletion()
572
+
545
573
slog.Info("Scan job completed",
546
574
"seq", msg.Seq,
547
575
"repository", repository,
···
592
620
"error", err)
593
621
}
594
622
623
+
// Remove from in-flight tracking and wake dispatch loop
624
+
sb.removeInflight(manifestDigest)
625
+
sb.signalCompletion()
626
+
595
627
slog.Warn("Scan job failed",
596
628
"seq", msg.Seq,
597
629
"subscriberId", sub.id,
···
768
800
return sb.secret != "" && secret == sb.secret
769
801
}
770
802
771
-
// refreshManifestDIDsLoop periodically queries the relay to discover all DIDs
772
-
// with io.atcr.manifest records. The cached list is used by the proactive scan loop.
773
-
func (sb *ScanBroadcaster) refreshManifestDIDsLoop() {
803
+
// scanCandidate is a manifest that needs scanning, with its scan freshness.
804
+
type scanCandidate struct {
805
+
manifest atproto.ManifestRecord // May be zero-value for stale candidates (resolved lazily)
806
+
manifestDigest string // Always set; used for dedup and lazy resolution
807
+
userDID string
808
+
userHandle string
809
+
scannedAt time.Time // zero value = never scanned
810
+
}
811
+
812
+
// discoveryLoop fetches DIDs from the relay, walks each user's PDS to find manifests
813
+
// with no scan record, and pushes them to the unscannedQueue. Runs on startup (after
814
+
// settle), then every 4 hours. Scanner reconnect triggers an early pass via discoverNow.
815
+
func (sb *ScanBroadcaster) discoveryLoop() {
774
816
defer sb.wg.Done()
775
817
776
-
// Wait for the system to settle before first refresh
818
+
// Wait for system to settle
777
819
select {
778
820
case <-sb.stopCh:
779
821
return
780
-
case <-time.After(30 * time.Second):
822
+
case <-time.After(45 * time.Second):
781
823
}
782
824
783
-
// Initial refresh
784
-
sb.refreshManifestDIDs()
825
+
slog.Info("Discovery loop started")
826
+
sb.runDiscoveryPass()
785
827
786
-
ticker := time.NewTicker(30 * time.Minute)
828
+
ticker := time.NewTicker(4 * time.Hour)
787
829
defer ticker.Stop()
788
830
789
831
for {
790
832
select {
791
833
case <-sb.stopCh:
792
-
slog.Info("Manifest DID refresh loop stopped")
834
+
slog.Info("Discovery loop stopped")
793
835
return
794
836
case <-ticker.C:
795
-
sb.refreshManifestDIDs()
837
+
sb.runDiscoveryPass()
838
+
case <-sb.discoverNow:
839
+
slog.Info("Discovery loop: early pass triggered (scanner reconnect)")
840
+
sb.runDiscoveryPass()
796
841
}
797
842
}
798
843
}
799
844
800
-
// refreshManifestDIDs queries the relay for all DIDs that have io.atcr.manifest records.
801
-
// On success, atomically replaces the cached DID list. On failure, retains the previous list.
802
-
func (sb *ScanBroadcaster) refreshManifestDIDs() {
803
-
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
845
+
// runDiscoveryPass fetches the DID list from relay and walks each user's PDS.
846
+
func (sb *ScanBroadcaster) runDiscoveryPass() {
847
+
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Minute)
804
848
defer cancel()
805
849
806
-
client := atproto.NewClient(sb.relayEndpoint, "", "")
850
+
// Fetch DID list from relay
851
+
userDIDs := sb.fetchManifestDIDs(ctx)
852
+
if len(userDIDs) == 0 {
853
+
slog.Debug("Discovery: no manifest DIDs from relay")
854
+
return
855
+
}
856
+
857
+
slog.Info("Discovery: starting pass", "users", len(userDIDs))
858
+
found := 0
807
859
860
+
for _, userDID := range userDIDs {
861
+
select {
862
+
case <-sb.stopCh:
863
+
return
864
+
default:
865
+
}
866
+
867
+
n := sb.discoverUnscannedForUser(ctx, userDID)
868
+
found += n
869
+
}
870
+
871
+
slog.Info("Discovery: pass complete", "users", len(userDIDs), "unscannedFound", found)
872
+
}
873
+
874
+
// fetchManifestDIDs queries the relay for all DIDs with io.atcr.manifest records.
875
+
func (sb *ScanBroadcaster) fetchManifestDIDs(ctx context.Context) []string {
876
+
client := atproto.NewClient(sb.relayEndpoint, "", "")
808
877
var allDIDs []string
809
878
var cursor string
810
879
811
880
for {
812
881
result, err := client.ListReposByCollection(ctx, atproto.ManifestCollection, 1000, cursor)
813
882
if err != nil {
814
-
slog.Warn("Proactive scan: failed to list repos from relay",
883
+
slog.Warn("Discovery: failed to list repos from relay",
815
884
"relay", sb.relayEndpoint, "error", err)
816
-
return // Keep existing cached list
885
+
return allDIDs // Return what we have so far
817
886
}
818
887
819
888
for _, repo := range result.Repos {
···
826
895
cursor = result.Cursor
827
896
}
828
897
829
-
sb.manifestDIDsMu.Lock()
830
-
sb.manifestDIDs = allDIDs
831
-
sb.manifestDIDsMu.Unlock()
832
-
833
-
slog.Info("Proactive scan: refreshed manifest DID list from relay",
834
-
"count", len(allDIDs), "relay", sb.relayEndpoint)
835
-
}
836
-
837
-
// proactiveScanLoop periodically finds manifests needing scanning and enqueues jobs.
838
-
// It fetches manifest records from users' PDS (the source of truth) and creates scan
839
-
// jobs for manifests that haven't been scanned recently.
840
-
func (sb *ScanBroadcaster) proactiveScanLoop() {
841
-
defer sb.wg.Done()
842
-
843
-
// Wait for the system to settle and DID list to populate
844
-
select {
845
-
case <-sb.stopCh:
846
-
return
847
-
case <-time.After(45 * time.Second):
848
-
}
849
-
850
-
// Run immediately on startup, then every 60s
851
-
slog.Info("Proactive scan loop started")
852
-
sb.tryEnqueueProactiveScan()
853
-
854
-
ticker := time.NewTicker(60 * time.Second)
855
-
defer ticker.Stop()
856
-
857
-
for {
858
-
select {
859
-
case <-sb.stopCh:
860
-
slog.Info("Proactive scan loop stopped")
861
-
return
862
-
case <-ticker.C:
863
-
sb.tryEnqueueProactiveScan()
864
-
}
865
-
}
898
+
return allDIDs
866
899
}
867
900
868
-
// tryEnqueueProactiveScan finds the next manifest needing a scan and enqueues it.
869
-
// Only enqueues one job per call to avoid flooding the scanner.
870
-
// Uses the cached DID list from the relay (refreshed by refreshManifestDIDsLoop).
871
-
func (sb *ScanBroadcaster) tryEnqueueProactiveScan() {
872
-
if !sb.hasConnectedScanners() {
873
-
slog.Debug("Proactive scan: no scanners connected, skipping")
874
-
return
875
-
}
876
-
if sb.hasActiveJobs() {
877
-
slog.Debug("Proactive scan: active jobs in queue, skipping")
878
-
return
879
-
}
880
-
881
-
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
882
-
defer cancel()
883
-
884
-
// Read cached DID list from relay discovery
885
-
sb.manifestDIDsMu.RLock()
886
-
userDIDs := sb.manifestDIDs
887
-
sb.manifestDIDsMu.RUnlock()
888
-
889
-
if len(userDIDs) == 0 {
890
-
slog.Debug("Proactive scan: no manifest DIDs cached from relay, skipping")
891
-
return
892
-
}
893
-
894
-
// Round-robin through DIDs, trying each until we find work or exhaust the list
895
-
for attempts := 0; attempts < len(userDIDs); attempts++ {
896
-
idx := sb.userIdx % len(userDIDs)
897
-
sb.userIdx++
898
-
userDID := userDIDs[idx]
899
-
900
-
if sb.tryEnqueueForUser(ctx, userDID) {
901
-
return // Enqueued one job, done for this tick
902
-
}
903
-
}
904
-
}
905
-
906
-
// scanCandidate is a manifest that needs scanning, with its scan freshness.
907
-
type scanCandidate struct {
908
-
manifest atproto.ManifestRecord
909
-
userDID string
910
-
userHandle string
911
-
scannedAt time.Time // zero value = never scanned
912
-
}
913
-
914
-
// tryEnqueueForUser fetches manifests from a user's PDS and enqueues a scan for the
915
-
// one that most needs it: never-scanned manifests first, then the stalest scan.
916
-
// Returns true if a job was enqueued.
917
-
func (sb *ScanBroadcaster) tryEnqueueForUser(ctx context.Context, userDID string) bool {
918
-
// Resolve user DID to PDS endpoint and handle
901
+
// discoverUnscannedForUser fetches manifests from a user's PDS and pushes any
902
+
// without scan records to the unscannedQueue. Returns count of candidates found.
903
+
func (sb *ScanBroadcaster) discoverUnscannedForUser(ctx context.Context, userDID string) int {
919
904
did, userHandle, pdsEndpoint, err := atproto.ResolveIdentity(ctx, userDID)
920
905
if err != nil {
921
-
slog.Debug("Proactive scan: failed to resolve user identity",
906
+
slog.Debug("Discovery: failed to resolve user identity",
922
907
"userDID", userDID, "error", err)
923
-
return false
908
+
return 0
924
909
}
925
910
926
-
// Collect all scannable manifests with their scan age
927
-
var unscanned []scanCandidate
928
-
var oldest *scanCandidate
929
-
911
+
found := 0
930
912
client := atproto.NewClient(pdsEndpoint, did, "")
931
913
var cursor string
932
914
for {
933
915
records, nextCursor, err := client.ListRecordsForRepo(ctx, did, atproto.ManifestCollection, 100, cursor)
934
916
if err != nil {
935
-
slog.Debug("Proactive scan: failed to list manifest records",
917
+
slog.Debug("Discovery: failed to list manifest records",
936
918
"userDID", did, "pds", pdsEndpoint, "error", err)
937
-
return false
919
+
return found
938
920
}
939
921
940
922
for _, record := range records {
···
943
925
continue
944
926
}
945
927
946
-
// Check if this manifest belongs to us (directly or via successor)
928
+
// Check if this manifest belongs to us
947
929
holdDID := manifest.HoldDID
948
930
if holdDID == "" {
949
931
holdDID = manifest.HoldEndpoint // Legacy field
···
952
934
continue
953
935
}
954
936
955
-
// Skip manifest lists (no layers to scan)
956
-
if len(manifest.Layers) == 0 {
937
+
// Skip manifest lists and attestations (no scannable content)
938
+
if len(manifest.Layers) == 0 || manifest.Subject != nil || manifest.Config == nil {
957
939
continue
958
940
}
959
941
960
-
// Skip if config is nil
961
-
if manifest.Config == nil {
942
+
// Check if already in-flight
943
+
if !sb.addInflight(manifest.Digest) {
962
944
continue
963
945
}
964
946
965
-
// Check scan status
966
-
_, scanRecord, err := sb.pds.GetScanRecord(ctx, manifest.Digest)
947
+
// Check scan status — only interested in never-scanned
948
+
_, _, err := sb.pds.GetScanRecord(ctx, manifest.Digest)
949
+
if err == nil {
950
+
// Has a scan record — not our concern (stale loop handles rescans)
951
+
sb.removeInflight(manifest.Digest)
952
+
continue
953
+
}
954
+
955
+
// Never scanned — push to queue
956
+
candidate := &scanCandidate{
957
+
manifest: manifest,
958
+
manifestDigest: manifest.Digest,
959
+
userDID: did,
960
+
userHandle: userHandle,
961
+
}
962
+
963
+
select {
964
+
case sb.unscannedQueue <- candidate:
965
+
found++
966
+
case <-sb.stopCh:
967
+
sb.removeInflight(manifest.Digest)
968
+
return found
969
+
}
970
+
}
971
+
972
+
if nextCursor == "" || len(records) == 0 {
973
+
break
974
+
}
975
+
cursor = nextCursor
976
+
}
977
+
978
+
return found
979
+
}
980
+
981
+
// staleScanLoop walks local scan records to find stale scans (older than rescanInterval)
982
+
// and pushes them to the staleQueue. No PDS calls needed — all data is local.
983
+
// After a full pass, sleeps for rescanInterval/2 before repeating.
984
+
func (sb *ScanBroadcaster) staleScanLoop() {
985
+
defer sb.wg.Done()
986
+
987
+
// Short initial delay to let system settle
988
+
select {
989
+
case <-sb.stopCh:
990
+
return
991
+
case <-time.After(10 * time.Second):
992
+
}
993
+
994
+
slog.Info("Stale scan loop started")
995
+
996
+
for {
997
+
sb.runStalePass()
998
+
999
+
sleepDuration := sb.rescanInterval / 2
1000
+
if sleepDuration < 1*time.Hour {
1001
+
sleepDuration = 1 * time.Hour
1002
+
}
1003
+
1004
+
select {
1005
+
case <-sb.stopCh:
1006
+
slog.Info("Stale scan loop stopped")
1007
+
return
1008
+
case <-time.After(sleepDuration):
1009
+
}
1010
+
}
1011
+
}
1012
+
1013
+
// runStalePass walks all scan records and pushes stale ones to the staleQueue.
1014
+
func (sb *ScanBroadcaster) runStalePass() {
1015
+
ri := sb.pds.RecordsIndex()
1016
+
if ri == nil {
1017
+
slog.Debug("Stale scan: no records index available")
1018
+
return
1019
+
}
1020
+
1021
+
ctx := context.Background()
1022
+
found := 0
1023
+
var cursor string
1024
+
1025
+
for {
1026
+
records, nextCursor, err := ri.ListRecords(atproto.ScanCollection, 100, cursor, true) // oldest first
1027
+
if err != nil {
1028
+
slog.Error("Stale scan: failed to list scan records", "error", err)
1029
+
return
1030
+
}
1031
+
1032
+
for _, record := range records {
1033
+
select {
1034
+
case <-sb.stopCh:
1035
+
return
1036
+
default:
1037
+
}
1038
+
1039
+
// The rkey is the manifest digest (without sha256: prefix)
1040
+
manifestDigest := "sha256:" + record.Rkey
1041
+
1042
+
// Check if already in-flight
1043
+
if !sb.addInflight(manifestDigest) {
1044
+
continue
1045
+
}
1046
+
1047
+
// Fetch the actual scan record to check staleness
1048
+
_, scanRecord, err := sb.pds.GetScanRecord(ctx, manifestDigest)
967
1049
if err != nil {
968
-
// No scan record — never scanned
969
-
unscanned = append(unscanned, scanCandidate{
970
-
manifest: manifest,
971
-
userDID: did,
972
-
userHandle: userHandle,
973
-
})
1050
+
sb.removeInflight(manifestDigest)
974
1051
continue
975
1052
}
976
1053
977
1054
scannedAt, err := time.Parse(time.RFC3339, scanRecord.ScannedAt)
978
1055
if err != nil {
979
-
// Can't parse timestamp — treat as never scanned
980
-
unscanned = append(unscanned, scanCandidate{
981
-
manifest: manifest,
982
-
userDID: did,
983
-
userHandle: userHandle,
984
-
})
1056
+
sb.removeInflight(manifestDigest)
985
1057
continue
986
1058
}
987
1059
988
1060
// Skip if scanned recently
989
1061
if time.Since(scannedAt) < sb.rescanInterval {
1062
+
sb.removeInflight(manifestDigest)
990
1063
continue
991
1064
}
992
1065
993
-
// Stale scan — track the oldest
994
-
if oldest == nil || scannedAt.Before(oldest.scannedAt) {
995
-
oldest = &scanCandidate{
996
-
manifest: manifest,
997
-
userDID: did,
998
-
userHandle: userHandle,
999
-
scannedAt: scannedAt,
1000
-
}
1066
+
candidate := &scanCandidate{
1067
+
manifestDigest: manifestDigest,
1068
+
userDID: scanRecord.UserDID,
1069
+
scannedAt: scannedAt,
1070
+
}
1071
+
1072
+
select {
1073
+
case sb.staleQueue <- candidate:
1074
+
found++
1075
+
case <-sb.stopCh:
1076
+
sb.removeInflight(manifestDigest)
1077
+
return
1001
1078
}
1002
1079
}
1003
1080
···
1007
1084
cursor = nextCursor
1008
1085
}
1009
1086
1010
-
// Prefer never-scanned, then oldest stale scan
1011
-
var pick *scanCandidate
1012
-
if len(unscanned) > 0 {
1013
-
pick = &unscanned[0]
1014
-
} else if oldest != nil {
1015
-
pick = oldest
1087
+
if found > 0 {
1088
+
slog.Info("Stale scan: pass complete", "staleCandidates", found)
1016
1089
}
1090
+
}
1017
1091
1018
-
if pick == nil {
1019
-
return false
1092
+
// dispatchLoop pops candidates from the work queues with strict priority
1093
+
// (unscanned before stale) and enqueues them as scan jobs. Throttled to one
1094
+
// proactive job at a time via hasActiveJobs().
1095
+
func (sb *ScanBroadcaster) dispatchLoop() {
1096
+
defer sb.wg.Done()
1097
+
1098
+
// Wait for system to settle
1099
+
select {
1100
+
case <-sb.stopCh:
1101
+
return
1102
+
case <-time.After(15 * time.Second):
1020
1103
}
1021
1104
1022
-
configJSON, _ := json.Marshal(pick.manifest.Config)
1023
-
layersJSON, _ := json.Marshal(pick.manifest.Layers)
1105
+
slog.Info("Dispatch loop started")
1106
+
1107
+
for {
1108
+
select {
1109
+
case <-sb.stopCh:
1110
+
slog.Info("Dispatch loop stopped")
1111
+
return
1112
+
default:
1113
+
}
1114
+
1115
+
// Wait until there's capacity (no active proactive jobs)
1116
+
if !sb.waitForCapacity() {
1117
+
return // stopCh closed
1118
+
}
1119
+
1120
+
// Wait until at least one scanner is connected
1121
+
if !sb.hasConnectedScanners() {
1122
+
select {
1123
+
case <-sb.stopCh:
1124
+
return
1125
+
case <-time.After(5 * time.Second):
1126
+
}
1127
+
continue
1128
+
}
1129
+
1130
+
// Pop from highest-priority non-empty queue
1131
+
var candidate *scanCandidate
1132
+
1133
+
select {
1134
+
case c := <-sb.unscannedQueue:
1135
+
candidate = c
1136
+
default:
1137
+
// No unscanned; try stale
1138
+
select {
1139
+
case c := <-sb.staleQueue:
1140
+
candidate = c
1141
+
default:
1142
+
// Both queues empty — wait for completion signal or timeout
1143
+
select {
1144
+
case <-sb.stopCh:
1145
+
return
1146
+
case <-sb.completionSignal:
1147
+
case <-time.After(30 * time.Second):
1148
+
}
1149
+
continue
1150
+
}
1151
+
}
1152
+
1153
+
sb.dispatchCandidate(candidate)
1154
+
}
1155
+
}
1156
+
1157
+
// waitForCapacity blocks until there are no active proactive scan jobs.
1158
+
// Returns false if stopCh is closed.
1159
+
func (sb *ScanBroadcaster) waitForCapacity() bool {
1160
+
for {
1161
+
if !sb.hasActiveJobs() {
1162
+
return true
1163
+
}
1164
+
select {
1165
+
case <-sb.stopCh:
1166
+
return false
1167
+
case <-sb.completionSignal:
1168
+
// Job completed, check again
1169
+
case <-time.After(5 * time.Second):
1170
+
// Periodic check as fallback
1171
+
}
1172
+
}
1173
+
}
1174
+
1175
+
// dispatchCandidate resolves manifest details if needed and enqueues a scan job.
1176
+
func (sb *ScanBroadcaster) dispatchCandidate(candidate *scanCandidate) {
1177
+
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
1178
+
defer cancel()
1179
+
1180
+
// For stale candidates, verify the scan is still stale (may have been
1181
+
// scanned by a push-triggered job while sitting in the queue)
1182
+
if !candidate.scannedAt.IsZero() {
1183
+
_, scanRecord, err := sb.pds.GetScanRecord(ctx, candidate.manifestDigest)
1184
+
if err == nil {
1185
+
scannedAt, parseErr := time.Parse(time.RFC3339, scanRecord.ScannedAt)
1186
+
if parseErr == nil && time.Since(scannedAt) < sb.rescanInterval {
1187
+
// Recently scanned, skip
1188
+
sb.removeInflight(candidate.manifestDigest)
1189
+
return
1190
+
}
1191
+
}
1192
+
}
1193
+
1194
+
// Resolve manifest details if not already present (stale candidates lack Config/Layers)
1195
+
if candidate.manifest.Config == nil {
1196
+
if !sb.resolveManifestForCandidate(ctx, candidate) {
1197
+
sb.removeInflight(candidate.manifestDigest)
1198
+
return
1199
+
}
1200
+
}
1201
+
1202
+
configJSON, _ := json.Marshal(candidate.manifest.Config)
1203
+
layersJSON, _ := json.Marshal(candidate.manifest.Layers)
1024
1204
1025
1205
reason := "never scanned"
1026
-
if !pick.scannedAt.IsZero() {
1027
-
reason = fmt.Sprintf("last scanned %s ago", time.Since(pick.scannedAt).Truncate(time.Minute))
1206
+
if !candidate.scannedAt.IsZero() {
1207
+
reason = fmt.Sprintf("last scanned %s ago", time.Since(candidate.scannedAt).Truncate(time.Minute))
1028
1208
}
1029
1209
1030
-
slog.Info("Enqueuing proactive scan",
1031
-
"manifestDigest", pick.manifest.Digest,
1032
-
"repository", pick.manifest.Repository,
1033
-
"userDID", pick.userDID,
1210
+
slog.Info("Dispatching proactive scan",
1211
+
"manifestDigest", candidate.manifestDigest,
1212
+
"repository", candidate.manifest.Repository,
1213
+
"userDID", candidate.userDID,
1034
1214
"reason", reason)
1035
1215
1036
1216
if err := sb.Enqueue(&ScanJobEvent{
1037
-
ManifestDigest: pick.manifest.Digest,
1038
-
Repository: pick.manifest.Repository,
1039
-
UserDID: pick.userDID,
1040
-
UserHandle: pick.userHandle,
1217
+
ManifestDigest: candidate.manifestDigest,
1218
+
Repository: candidate.manifest.Repository,
1219
+
UserDID: candidate.userDID,
1220
+
UserHandle: candidate.userHandle,
1041
1221
Tier: "deckhand",
1042
1222
Config: configJSON,
1043
1223
Layers: layersJSON,
1044
1224
}); err != nil {
1045
-
slog.Error("Proactive scan: failed to enqueue",
1046
-
"manifest", pick.manifest.Digest, "error", err)
1225
+
slog.Error("Dispatch: failed to enqueue",
1226
+
"manifest", candidate.manifestDigest, "error", err)
1227
+
// removeInflight not needed — Enqueue already cleans up on error
1228
+
}
1229
+
}
1230
+
1231
+
// resolveManifestForCandidate fetches the manifest from the user's PDS to populate
1232
+
// Config and Layers fields needed for the scan job.
1233
+
func (sb *ScanBroadcaster) resolveManifestForCandidate(ctx context.Context, candidate *scanCandidate) bool {
1234
+
did, userHandle, pdsEndpoint, err := atproto.ResolveIdentity(ctx, candidate.userDID)
1235
+
if err != nil {
1236
+
slog.Debug("Dispatch: failed to resolve user identity",
1237
+
"userDID", candidate.userDID, "error", err)
1047
1238
return false
1048
1239
}
1049
-
return true
1240
+
if candidate.userHandle == "" {
1241
+
candidate.userHandle = userHandle
1242
+
}
1243
+
1244
+
client := atproto.NewClient(pdsEndpoint, did, "")
1245
+
var cursor string
1246
+
for {
1247
+
records, nextCursor, err := client.ListRecordsForRepo(ctx, did, atproto.ManifestCollection, 100, cursor)
1248
+
if err != nil {
1249
+
return false
1250
+
}
1251
+
1252
+
for _, record := range records {
1253
+
var manifest atproto.ManifestRecord
1254
+
if err := json.Unmarshal(record.Value, &manifest); err != nil {
1255
+
continue
1256
+
}
1257
+
1258
+
if manifest.Digest == candidate.manifestDigest {
1259
+
candidate.manifest = manifest
1260
+
return true
1261
+
}
1262
+
}
1263
+
1264
+
if nextCursor == "" || len(records) == 0 {
1265
+
break
1266
+
}
1267
+
cursor = nextCursor
1268
+
}
1269
+
1270
+
slog.Debug("Dispatch: manifest not found on user's PDS",
1271
+
"manifestDigest", candidate.manifestDigest,
1272
+
"userDID", candidate.userDID)
1273
+
return false
1050
1274
}
1051
1275
1052
1276
// isOurManifest checks if a manifest's holdDID matches this hold directly,
···
1161
1385
_, _ = rand.Read(b)
1162
1386
return hex.EncodeToString(b)
1163
1387
}
1388
+
1389
+
// addInflight marks a manifest digest as in-flight. Returns false if already present.
1390
+
func (sb *ScanBroadcaster) addInflight(digest string) bool {
1391
+
sb.inflightMu.Lock()
1392
+
defer sb.inflightMu.Unlock()
1393
+
if _, ok := sb.inflight[digest]; ok {
1394
+
return false
1395
+
}
1396
+
sb.inflight[digest] = struct{}{}
1397
+
return true
1398
+
}
1399
+
1400
+
// removeInflight removes a manifest digest from the in-flight set.
1401
+
func (sb *ScanBroadcaster) removeInflight(digest string) {
1402
+
sb.inflightMu.Lock()
1403
+
defer sb.inflightMu.Unlock()
1404
+
delete(sb.inflight, digest)
1405
+
}
1406
+
1407
+
// signalCompletion non-blocking signal to wake the dispatch loop.
1408
+
func (sb *ScanBroadcaster) signalCompletion() {
1409
+
select {
1410
+
case sb.completionSignal <- struct{}{}:
1411
+
default:
1412
+
}
1413
+
}
1414
+
1415
+
// triggerDiscovery non-blocking signal to trigger an early discovery pass.
1416
+
func (sb *ScanBroadcaster) triggerDiscovery() {
1417
+
select {
1418
+
case sb.discoverNow <- struct{}{}:
1419
+
default:
1420
+
}
1421
+
}
+1
pkg/hold/pds/server.go
+1
pkg/hold/pds/server.go
···
31
31
lexutil.RegisterType(atproto.LayerCollection, &atproto.LayerRecord{})
32
32
lexutil.RegisterType(atproto.TangledProfileCollection, &atproto.TangledProfileRecord{})
33
33
lexutil.RegisterType(atproto.StatsCollection, &atproto.StatsRecord{})
34
+
lexutil.RegisterType(atproto.DailyStatsCollection, &atproto.DailyStatsRecord{})
34
35
lexutil.RegisterType(atproto.ScanCollection, &atproto.ScanRecord{})
35
36
lexutil.RegisterType(atproto.ImageConfigCollection, &atproto.ImageConfigRecord{})
36
37
}
+209
pkg/hold/pds/stats.go
+209
pkg/hold/pds/stats.go
···
75
75
return nil
76
76
}
77
77
78
+
// IncrementDailyStats increments the daily pull or push count for a repository
79
+
// Creates a new daily record if none exists for the current date, updates existing otherwise
80
+
// On first daily record for a repo, seeds it with existing cumulative stats so trend charts
81
+
// have a starting data point for pre-daily-tracking history
82
+
func (p *HoldPDS) IncrementDailyStats(ctx context.Context, ownerDID, repository, operation string) error {
83
+
if operation != "pull" && operation != "push" {
84
+
return fmt.Errorf("invalid operation: %s (must be 'pull' or 'push')", operation)
85
+
}
86
+
87
+
date := time.Now().UTC().Format("2006-01-02")
88
+
rkey := atproto.DailyStatsRecordKey(ownerDID, repository, date)
89
+
now := time.Now().Format(time.RFC3339)
90
+
91
+
// Try to get existing daily record for today
92
+
_, existing, err := p.GetDailyStats(ctx, ownerDID, repository, date)
93
+
if err != nil {
94
+
// No daily record for today — check if we need to seed from cumulative stats
95
+
seedPull, seedPush := p.getSeedCounts(ctx, ownerDID, repository)
96
+
97
+
record := atproto.NewDailyStatsRecord(ownerDID, repository, date)
98
+
if operation == "pull" {
99
+
record.PullCount = 1
100
+
} else {
101
+
record.PushCount = 1
102
+
}
103
+
record.UpdatedAt = now
104
+
105
+
// If there are existing cumulative counts but no daily records yet,
106
+
// create a seed record for the previous day with the historical totals
107
+
if seedPull > 0 || seedPush > 0 {
108
+
if err := p.seedDailyStats(ctx, ownerDID, repository, date, seedPull, seedPush); err != nil {
109
+
slog.Warn("Failed to seed daily stats from cumulative",
110
+
"ownerDID", ownerDID,
111
+
"repository", repository,
112
+
"error", err)
113
+
}
114
+
}
115
+
116
+
_, _, err := p.repomgr.PutRecord(ctx, p.uid, atproto.DailyStatsCollection, rkey, record)
117
+
if err != nil {
118
+
return fmt.Errorf("failed to create daily stats record: %w", err)
119
+
}
120
+
121
+
slog.Debug("Created daily stats record",
122
+
"ownerDID", ownerDID,
123
+
"repository", repository,
124
+
"date", date,
125
+
"operation", operation)
126
+
return nil
127
+
}
128
+
129
+
// Record exists — increment
130
+
if operation == "pull" {
131
+
existing.PullCount++
132
+
} else {
133
+
existing.PushCount++
134
+
}
135
+
existing.UpdatedAt = now
136
+
137
+
_, err = p.repomgr.UpdateRecord(ctx, p.uid, atproto.DailyStatsCollection, rkey, existing)
138
+
if err != nil {
139
+
return fmt.Errorf("failed to update daily stats record: %w", err)
140
+
}
141
+
142
+
slog.Debug("Updated daily stats record",
143
+
"ownerDID", ownerDID,
144
+
"repository", repository,
145
+
"date", date,
146
+
"operation", operation,
147
+
"pullCount", existing.PullCount,
148
+
"pushCount", existing.PushCount)
149
+
return nil
150
+
}
151
+
152
+
// getSeedCounts returns the cumulative pull/push counts from io.atcr.hold.stats
153
+
// minus any already-tracked daily counts. Returns (0, 0) if no seeding is needed.
154
+
func (p *HoldPDS) getSeedCounts(ctx context.Context, ownerDID, repository string) (int64, int64) {
155
+
// Check if any daily records already exist for this repo
156
+
dailyStats, err := p.ListDailyStatsForRepo(ctx, ownerDID, repository)
157
+
if err == nil && len(dailyStats) > 0 {
158
+
// Daily records already exist — no seeding needed
159
+
return 0, 0
160
+
}
161
+
162
+
// Get cumulative stats
163
+
_, cumulative, err := p.GetStats(ctx, ownerDID, repository)
164
+
if err != nil || cumulative == nil {
165
+
return 0, 0
166
+
}
167
+
168
+
return cumulative.PullCount, cumulative.PushCount
169
+
}
170
+
171
+
// seedDailyStats creates a seed daily record with historical cumulative totals
172
+
// dated to the day before the first real daily record
173
+
func (p *HoldPDS) seedDailyStats(ctx context.Context, ownerDID, repository, currentDate string, pullCount, pushCount int64) error {
174
+
// Parse current date and go back one day for the seed record
175
+
t, err := time.Parse("2006-01-02", currentDate)
176
+
if err != nil {
177
+
return fmt.Errorf("failed to parse date: %w", err)
178
+
}
179
+
seedDate := t.AddDate(0, 0, -1).Format("2006-01-02")
180
+
rkey := atproto.DailyStatsRecordKey(ownerDID, repository, seedDate)
181
+
182
+
record := atproto.NewDailyStatsRecord(ownerDID, repository, seedDate)
183
+
record.PullCount = pullCount
184
+
record.PushCount = pushCount
185
+
record.UpdatedAt = time.Now().Format(time.RFC3339)
186
+
187
+
_, _, err = p.repomgr.PutRecord(ctx, p.uid, atproto.DailyStatsCollection, rkey, record)
188
+
if err != nil {
189
+
return fmt.Errorf("failed to create seed daily stats record: %w", err)
190
+
}
191
+
192
+
slog.Info("Seeded daily stats from cumulative totals",
193
+
"ownerDID", ownerDID,
194
+
"repository", repository,
195
+
"seedDate", seedDate,
196
+
"pullCount", pullCount,
197
+
"pushCount", pushCount)
198
+
return nil
199
+
}
200
+
201
+
// GetDailyStats retrieves the daily stats record for a repository on a specific date
202
+
func (p *HoldPDS) GetDailyStats(ctx context.Context, ownerDID, repository, date string) (cid.Cid, *atproto.DailyStatsRecord, error) {
203
+
rkey := atproto.DailyStatsRecordKey(ownerDID, repository, date)
204
+
205
+
recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.DailyStatsCollection, rkey, cid.Undef)
206
+
if err != nil {
207
+
return cid.Undef, nil, err
208
+
}
209
+
210
+
dailyRecord, ok := val.(*atproto.DailyStatsRecord)
211
+
if !ok {
212
+
return cid.Undef, nil, fmt.Errorf("unexpected type for daily stats record: %T", val)
213
+
}
214
+
215
+
return recordCID, dailyRecord, nil
216
+
}
217
+
218
+
// ListDailyStatsForRepo returns all daily stats records for a specific owner+repo
219
+
func (p *HoldPDS) ListDailyStatsForRepo(ctx context.Context, ownerDID, repository string) ([]*atproto.DailyStatsRecord, error) {
220
+
session, err := p.carstore.ReadOnlySession(p.uid)
221
+
if err != nil {
222
+
return nil, fmt.Errorf("failed to get read-only session: %w", err)
223
+
}
224
+
225
+
head, err := p.carstore.GetUserRepoHead(ctx, p.uid)
226
+
if err != nil {
227
+
return nil, fmt.Errorf("failed to get repo head: %w", err)
228
+
}
229
+
230
+
if !head.Defined() {
231
+
return []*atproto.DailyStatsRecord{}, nil
232
+
}
233
+
234
+
r, err := repo.OpenRepo(ctx, session, head)
235
+
if err != nil {
236
+
return nil, fmt.Errorf("failed to open repo: %w", err)
237
+
}
238
+
239
+
var stats []*atproto.DailyStatsRecord
240
+
241
+
err = r.ForEach(ctx, atproto.DailyStatsCollection, func(k string, v cid.Cid) error {
242
+
parts := strings.Split(k, "/")
243
+
if len(parts) < 2 {
244
+
return nil
245
+
}
246
+
247
+
actualCollection := strings.Join(parts[:len(parts)-1], "/")
248
+
if actualCollection != atproto.DailyStatsCollection {
249
+
return repo.ErrDoneIterating
250
+
}
251
+
252
+
_, recBytes, err := r.GetRecordBytes(ctx, k)
253
+
if err != nil {
254
+
slog.Warn("Failed to get daily stats record bytes", "key", k, "error", err)
255
+
return nil
256
+
}
257
+
258
+
if recBytes == nil {
259
+
return nil
260
+
}
261
+
262
+
var dailyRecord atproto.DailyStatsRecord
263
+
if err := dailyRecord.UnmarshalCBOR(bytes.NewReader(*recBytes)); err != nil {
264
+
slog.Warn("Failed to unmarshal daily stats record", "key", k, "error", err)
265
+
return nil
266
+
}
267
+
268
+
if dailyRecord.OwnerDID == ownerDID && dailyRecord.Repository == repository {
269
+
stats = append(stats, &dailyRecord)
270
+
}
271
+
return nil
272
+
})
273
+
274
+
if err != nil {
275
+
if errors.Is(err, repo.ErrDoneIterating) {
276
+
// Expected
277
+
} else if strings.Contains(err.Error(), "not found") {
278
+
return []*atproto.DailyStatsRecord{}, nil
279
+
} else {
280
+
return nil, fmt.Errorf("failed to iterate daily stats records: %w", err)
281
+
}
282
+
}
283
+
284
+
return stats, nil
285
+
}
286
+
78
287
// GetStats retrieves the stats record for a repository
79
288
// Returns nil, nil if no stats record exists
80
289
func (p *HoldPDS) GetStats(ctx context.Context, ownerDID, repository string) (cid.Cid, *atproto.StatsRecord, error) {
+2
scanner/internal/scan/worker.go
+2
scanner/internal/scan/worker.go
···
122
122
// container images so Syft/Grype can't analyze their layers.
123
123
var unscannableConfigTypes = map[string]bool{
124
124
"application/vnd.cncf.helm.config.v1+json": true, // Helm charts
125
+
"application/vnd.in-toto+json": true, // In-toto attestations
126
+
"application/vnd.dsse.envelope.v1+json": true, // DSSE envelopes (SLSA)
125
127
}
126
128
127
129
func (wp *WorkerPool) processJob(ctx context.Context, job *scanner.ScanJob) (*scanner.ScanResult, error) {
+1
-1
scripts/publish-artifact.sh
+1
-1
scripts/publish-artifact.sh
···
1
1
#!/usr/bin/env bash
2
2
set -e
3
-
goat account login -u evan.jarrett.net -p "${APP_PASSWORD}"
3
+
goat account login -u "${TANGLED_REPO_DID}" -p "${APP_PASSWORD}"
4
4
TAG_HASH=$(git rev-parse "$TAG") &&
5
5
TAG_BYTES=$(echo -n "$TAG_HASH" | xxd -r -p | base64 | tr -d '=') &&
6
6
BLOB_OUTPUT=$(goat blob upload "$ARTIFACT_PATH") &&