Enforce deny unwrap_used

feat: integrate AgentService into app service and enhance configuration handling
refactor app service
2025-12-28 19:07:17 +08:00 · 2025-12-28 18:35:53 +08:00 · 2025-12-28 18:28:28 +08:00 · 2025-12-28 18:08:55 +08:00 · 2025-12-28 17:53:27 +08:00 · 2025-12-28 16:42:12 +08:00
63 changed files with 5102 additions and 1531 deletions
--- a/.github/actions/setup-rust/action.yml
+++ b/.github/actions/setup-rust/action.yml
@@ -22,7 +22,7 @@ runs:
        fetch-depth: 0
    - name: Cache cargo registry
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.cargo/registry
        key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
@@ -30,7 +30,7 @@ runs:
          ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
    - name: Cache cargo index
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.cargo/index
        key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
@@ -51,7 +51,7 @@ runs:
          ${{ runner.os }}-rustup-
    - name: Cache cargo build (target)
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: target
        key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,11 +12,8 @@ on:
 jobs:
  # setup is now handled by a composite action used by downstream jobs to keep
  # the workflow DRY. The composite action performs checkout, cache restore and
  # toolchain setup.
-  test:
+  test-crates:
    needs: frontend-build
    runs-on: ubuntu-latest
    steps:
@@ -39,7 +36,7 @@ jobs:
      - name: Run tests
        run: cargo test --all-features
-  lint:
+  lint-crates:
    needs: frontend-build
    runs-on: ubuntu-latest
    steps:
@@ -83,13 +80,13 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
          cd apps/frontend
          pnpm install
-      
+
      - name: Run frontend linter
        run: |
          cd apps/frontend
@@ -114,7 +111,7 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
@@ -142,12 +139,12 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
          cd apps/frontend
-          pnpm install
+          pnpm install --frozen-lockfile
      - name: Build frontend
        run: |
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -11,18 +11,15 @@ on:
 jobs:
  # setup is now handled by a composite action used by downstream jobs to keep
  # the workflow DRY. The composite action performs checkout, cache restore and
  # toolchain setup.
-  verify-generated-code:
+  verify-generated-database-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-          
+
      - name: Setup Rust, checkout and restore caches
        uses: ./.github/actions/setup-rust
@@ -32,14 +29,62 @@ jobs:
          cargo run -- db:migrate_and_generate --output-path ../../public/database/src/generated/entities
      - name: Check for uncommitted changes in /generated/
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M .*\/generated\/') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep '/generated/') ]]; then
            echo "Generated code is not up to date. Please run the code generation locally and commit the changes."
-            git status --porcelain | grep '^ M .*\/generated\/'
+            git status --porcelain --untracked-files=all | grep '/generated/'
            exit 1
          else
            echo "Generated code is up to date."
          fi
  verify-generated-agent-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: '21'
      - name: Setup Rust, checkout and restore caches
        uses: ./.github/actions/setup-rust
      - name: Setup PNPM
        uses: pnpm/action-setup@v4
        with:
          version: 10
          run_install: false
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml
      - name: Install root dependencies
        run: |
          pnpm install --frozen-lockfile
      - name: generate agent client code
        run: |
          pnpm just generate-agent-client
      - name: Check for uncommitted changes in agent client code
        run: |
          if [[ -n $(git status --porcelain --untracked-files=all | grep 'public/agent-client/') ]]; then
            echo "Agent client code is not up to date. Please run the agent client code generation locally and commit the changes."
            git status --porcelain --untracked-files=all | grep 'public/agent-client/'
            exit 1
          else
            echo "Agent client code is up to date."
          fi
  verify-openapi-spec:
    runs-on: ubuntu-latest
    steps:
@@ -83,7 +128,7 @@ jobs:
      - name: Setup Rust, checkout and restore caches
        if: steps.check_changes.outputs.changed == 'true'
        uses: ./.github/actions/setup-rust
-      
+
      - name: Generate dummy frontend build (to satisfy dependencies)
        if: steps.check_changes.outputs.changed == 'true'
        run: |
@@ -95,13 +140,13 @@ jobs:
        run: |
          cd apps/api
          cargo run -- generate:openapi --output-path ./swagger.json
-      
+
      - name: Check for uncommitted changes in swagger.json
        if: steps.check_changes.outputs.changed == 'true'
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M apps/api/swagger.json') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep 'apps/api/swagger.json') ]]; then
            echo "OpenAPI spec is not up to date. Please run the OpenAPI generation locally and commit the changes."
-            git status --porcelain | grep '^ M apps/api/swagger.json'
+            git status --porcelain --untracked-files=all | grep 'apps/api/swagger.json'
            exit 1
          else
            echo "OpenAPI spec is up to date."
@@ -165,14 +210,14 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
-      
+
      - name: Install frontend dependencies
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
          cd apps/frontend
          pnpm install
-      
+
      - name: Generate frontend API client
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
@@ -182,14 +227,14 @@ jobs:
      - name: Check for uncommitted changes in frontend API client
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M apps/frontend/app/generated/api-client') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep 'apps/frontend/app/generated/api-client') ]]; then
            echo "Frontend API client is not up to date. Please run the API client generation locally and commit the changes."
-            git status --porcelain | grep '^ M apps/frontend/app/generated/api-client'
+            git status --porcelain --untracked-files=all | grep 'apps/frontend/app/generated/api-client'
            exit 1
          else
            echo "Frontend API client is up to date."
          fi
-      
+
      - name: Skip frontend API client generation (no relevant changes)
        if: steps.check_swagger_changes.outputs.changed == 'false'
        run: echo "No changes in apps/api/swagger.json nor apps/frontend/app/generated/api-client, skipping frontend API client generation verification."
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,5 @@ target
 .env.generated
 generated-config.yaml
 node_modules/
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,6 +4,7 @@ members = [
    "apps/container",
    "apps/cli",
    "apps/agent",
    "public/agent-client",
    "public/shared",
    "public/database",
    "public/migration"
--- a/apps/agent/Cargo.toml
+++ b/apps/agent/Cargo.toml
@@ -11,5 +11,6 @@ tracing-subscriber = { version = "0.3.20", features = ["smallvec", "fmt", "ansi"
 serde_json = { version = "1.0.145", features = ["std"] }
 serde = { version = "1.0.228", features = ["std", "derive"] }
 tokio-cron-scheduler = { version = "0.15.1", features = ["signal"] }
-clap = { version = "4", features = ["derive"] }
+clap = { version = "4", features = ["derive", "env"] }
 nix = { version = "0.30.1", features = ["user", "fs"] }
 utoipa = { version = "5.4.0", features = ["macros", "axum_extras", "chrono", "decimal", "uuid", "time", "openapi_extensions"] }
--- a/apps/agent/doc/README.md
+++ b/apps/agent/doc/README.md
@@ -0,0 +1,19 @@
 # yanpm-agent Documentation
 This directory contains in-depth documentation for the yanpm agent daemon (the binary built from `apps/agent`). The agent exposes a unix-socket HTTP API for writing nginx configuration fragments, validating them, and reloading nginx safely.
 Docs included:
 - `architecture.md` — Detailed explanation of the program flow and components.
 - `configuration.md` — CLI flags, environment variables, defaults, and permission handling.
 - `usage.md` — How to run the agent, curl examples, and systemd/docker hints.
 - `api.md` — HTTP API endpoints, request and response schemas, examples.
 - `deployment.md` — Deployment considerations, permissions, and systemd socket/unit examples.
 - `troubleshooting.md` — Common errors and solutions.
 For implementation details, see the source in `apps/agent/src` (notably `main.rs`, `routes.rs`, and the `commands/` submodule).
 Integration notes
 - The agent is intended to run as a companion agent for the API service in `apps/api`. The API service calls the agent over the unix-domain socket to write nginx fragments, validate them, and trigger reloads.
 - A production Docker image is provided by `apps/agent/Dockerfile`. That Dockerfile packages nginx + the `yanpm-agent` binary and s6-overlay service scripts so a single container can run nginx and the agent alongside each other.
--- a/apps/agent/doc/api.md
+++ b/apps/agent/doc/api.md
@@ -0,0 +1,68 @@
 # HTTP API Reference
 Base: HTTP over a unix-domain socket. Example using curl: `curl --unix-socket /path/to/socket -X POST http://localhost/<path>`
 1) GET /status
   - Response: 200 OK
   - Body: JSON `{ "ok": true }`
 2) POST /validate
   - Request JSON:
   ```json
   {
     "config_name": "example",
     "timestamp": 1234567890
   }
   ```
   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
   - Success: 200 OK, body is `[rc, output]` tuple serialized as JSON (actual shape is `(i32, String)` returned from the command; examine responses for exact formatting).
   - Error cases:
     - 400 Bad Request: invalid or malformed JSON
     - 500 Internal Server Error: validation error or missing fragment file
   - Request JSON:
   ```json
   {
      "config_name": "example",
      "timestamp": 1234567890
   }
   ```
   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
   - Success: 200 OK, body is a JSON array `[rc, output]` where `rc` is the integer return code and `output` is the combined stdout/stderr string from the validation command (the command returns an `(i32, String)` tuple).
   - Error cases:
      - 400 Bad Request: invalid or malformed JSON
      - 500 Internal Server Error: validation error or missing fragment file
 3) POST /validate_and_reload
   - Request JSON same as `/validate`.
   - Behavior: runs validation and, on success, attempts to reload nginx. Returns an object with `rc` and `ro` (return code and combined stdout/stderr output).
   - Success: 200 OK with body: `{ "rc": <int>, "ro": "<output>" }`
   - Errors: 400 for malformed JSON, 500 if the validate-and-reload command fails (body presents error text).
 4) POST /write_config
   - Request JSON:
   ```json
   {
     "config_name": "example",
     "timestamp": 1234567890,
     "content": "server { ... }"
   }
   ```
   - Behavior: writes the provided `content` into an agent-managed fragment file named from `config_name` and `timestamp` in the internal subdirectory under `nginx_config_dir`.
   - Success: 200 OK with empty body
   - Error: 400 for malformed JSON, 500 if writing the file fails
 Notes
 - The agent expects callers to choose a `config_name` and `timestamp` that together form a unique filename. The concrete filename encoding is performed by `commands::run::to_file_name` in source.
 - On validation failures the returned output often contains the full `nginx -t` output; inspect `ro` or the returned JSON error messages.
--- a/apps/agent/doc/architecture.md
+++ b/apps/agent/doc/architecture.md
@@ -0,0 +1,34 @@
 # Architecture and Runtime Flow
 Overview
 - The agent is an async HTTP server (axum) listening on a Unix domain socket and exposes a small JSON API to manage nginx configuration fragments.
 - Core lifecycle is implemented in `apps/agent/src/main.rs`:
  - parse CLI args and environment variables
  - ensure the socket path and directory exist and have permissive but secure defaults
  - bind a `tokio::net::UnixListener` to the socket
  - create an `NginxService` (shared state) and an in-process cron `JobScheduler`
  - mount axum routes (`/status`, `/validate`, `/validate_and_reload`, `/write_config`) and serve HTTP over the Unix socket
 Key components
 - `main.rs` — Bootstrapping, argument handling, socket setup and permission handling, scheduler start, and axum server startup.
 - `routes.rs` — axum handlers for the HTTP API. It deserializes JSON payloads and delegates to `NginxService` methods. Handlers return appropriate HTTP status codes and JSON on error or success.
 - `commands/` — Implementation of lower-level actions (writing fragment files, running `nginx -t`, validating, reloads). The `validate.rs` command contains sophisticated behavior to handle permission-limited environments by:
  - creating wrapper nginx configs that include a single fragment
  - trying `nginx -t` directly, attempting a privileged wrapper via `sudo` if available, and finally passing a writable PID override via `-g pid ...;` to avoid permission failures
 Concurrency and state
 - A single shared `NginxService` instance is stored in axum `State` and cloned into handlers; it holds the scheduler and the configured nginx config directory path.
 - The JobScheduler is created with `tokio_cron_scheduler::JobScheduler` and started before serving requests.
 Error handling and best-effort behavior
 - Socket permission changes, GID changes, and directory creations are best-effort and log warnings on failure rather than failing hard.
 - Most command failures are converted into JSON errors with appropriate HTTP status codes so callers can inspect command output.
 Integration and packaging
 - The agent is intended to run as a companion to the API server in `apps/api`. The API calls the agent over the unix socket to write fragments, validate them, and trigger reloads.
 - `apps/agent/Dockerfile` builds a runtime image that includes `nginx` and the `yanpm-agent` binary (the Dockerfile uses s6-overlay to run multiple services). This image is suitable for deployments that prefer nginx and the agent colocated in a single container.
--- a/apps/agent/doc/configuration.md
+++ b/apps/agent/doc/configuration.md
@@ -0,0 +1,27 @@
 # Configuration and Environment
 CLI flags and environment variables
 - `--sock` / `YANPM_AGENT_SOCK` (default: `./yanpm-agent.sock`)
  - Path to the Unix socket file the agent will bind to.
  - If the socket directory does not exist the agent attempts to create it and set mode `0770`.
 - `--nginx-config-dir` / `YANPM_NGINX_CONFIG_DIR` (default: `/etc/nginx/conf.d`)
  - Directory where nginx fragments are written. The agent writes fragments into a subdirectory named by the agent (internal use).
 - `--sock-perm` / `YANPM_AGENT_SOCK_PERM` (default: `660`)
  - A 3-digit octal permission string applied to the socket file (best-effort). The program validates this is a 3-digit octal string.
  - If the final digit is greater than `0` a warning is logged because that allows "others" access.
 - `--sock-gid` / `YANPM_AGENT_SOCK_GID` (default: current user's primary group)
  - GID to set on the socket file (best-effort).
 Validation rules and behavior
 - `sock_perm` must be exactly 3 octal digits (characters 0-7). The agent rejects invalid values at startup.
 - When an existing path exists at the socket location the agent verifies it is a unix socket; if so it removes it before binding. If the path exists and is not a socket, startup fails.
 - Setting permissions (`set_permissions`) and changing GID (`chown`) are attempted but non-fatal: failures are logged as warnings and the agent continues.
 Notes about nginx config directory
 - The agent writes fragments into a subdirectory (internal) of the configured `nginx_config_dir`. Ensure nginx is configured to include that subdirectory so fragments are picked up, or use `write_config` then trigger a reload.
--- a/apps/agent/doc/deployment.md
+++ b/apps/agent/doc/deployment.md
@@ -0,0 +1,62 @@
 # Deployment and Permissions
 Socket location and permissions
 - The agent binds a unix socket at the path given by `--sock` or `YANPM_AGENT_SOCK`. The agent will:
  - create the parent directory (best-effort) and attempt to set its permissions to `0770`
  - remove an existing socket file if it is a socket, or fail if the path exists and is not a socket
  - apply the `sock_perm` (3-digit octal) to the socket file and optionally change its GID to `sock_gid`
 Systemd socket/unit example
 Create a `yanpm-agent.socket` unit that creates and owns the unix socket, and a `yanpm-agent.service` that runs the agent. Ensure the socket path used by systemd matches `--sock`.
 Docker / container notes
 - If running the agent inside a container and writing to host nginx config, bind-mount the host nginx config directory into the container at the path provided to `--nginx-config-dir`.
 - Consider running the agent as a user with permission to write the nginx config directory or use a shared group and `sock_gid` so clients can access the socket.
 - The repository provides a runtime image built by `apps/agent/Dockerfile` which packages `nginx` together with the `yanpm-agent` binary and s6-overlay service scripts. This image runs nginx and the agent in one container which is useful when the agent is acting as the runtime companion for the API (`apps/api`).
 Privilege escalation for validation
 - In many systems `nginx -t` may fail due to inability to access `/run/nginx.pid` or other privileged files. The agent attempts a best-effort sequence:
 1. Run `nginx -t` directly.
 2. If that fails with permission errors, try a privileged wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate` or `yanpm-nginx-validate-file`) via `sudo -n`.
 3. If wrapper is unavailable or fails, retry `nginx -t` with a writable PID override via `-g 'pid /tmp/yanpm-validate-<pid>.pid;'`.
 Security considerations
 - Avoid setting `sock_perm` to allow world access unless explicitly intended.
 - Prefer controlling socket group membership via `sock_gid` rather than making the socket world-writable.
 s6 init scripts, wrappers and sudoers (runtime)
 - Purpose: The image built by `apps/agent/Dockerfile` uses `s6-overlay` as PID 1 (the Dockerfile sets `ENTRYPOINT ["/init"]`). The repository includes `docker/s6/cont-init.d` scripts that run at container startup (one-shot) and `docker/s6/services.d` entries to run long-lived services (nginx and the agent). The cont-init scripts prepare runtime users, permissions, and helper wrappers the agent uses for privileged operations.
 - Key cont-init scripts (in the repo):
  - `docker/s6/cont-init.d/10-create-app-user` — ensures the `yanpm-agent` user and group exist (honoring `YANPM_AGENT_UID`, `YANPM_AGENT_GID`, and `YANPM_AGENT_SOCK_GID`), adds the user to the `nginx` group, and attempts to chown runtime directories like `/var/run/yanpm` and `/app/yanpm-agent` (logs warnings if chown fails for bind mounts or rootless containers).
  - `docker/s6/cont-init.d/20-install-reload-wrapper` — installs three helper wrappers and a sudoers entry so the `yanpm-agent` user can perform narrowly-scoped privileged operations without a password.
 - Wrapper scripts installed by `20-install-reload-wrapper`:
  - `/usr/local/sbin/yanpm-nginx-reload` — runs `nginx -c /etc/nginx/nginx.conf -s reload` (used for reloading the running nginx master process).
  - `/usr/local/sbin/yanpm-nginx-validate` — runs `nginx -c /etc/nginx/nginx.conf -t` (validates the main nginx config).
  - `/usr/local/sbin/yanpm-nginx-validate-file` — securely validates a single nginx config file: it resolves the absolute path, ensures the target is a regular file (not a symlink), checks the file is owned by the `yanpm-agent` user, enforces it's not world-writable, then runs `nginx -c <file> -t`. This defends against symlink and race attacks when an unprivileged agent requests privileged validation.
 - Sudoers entry:
  - The init script writes `/etc/sudoers.d/yanpm-agent` with a rule allowing the configured agent user (default `yanpm-agent`) to run only the three wrappers with `NOPASSWD`. This gives the agent a limited, auditable privilege escalation surface; the agent code attempts to use these wrappers via `sudo -n` before falling back to less privileged strategies.
 - Relevant environment variables (settable in the Dockerfile or at runtime):
  - `YANPM_AGENT_SOCK` — unix socket path (default set in Dockerfile: `/var/run/yanpm/yanpm-agent.sock`).
  - `YANPM_NGINX_CONFIG_DIR` — nginx config dir (default `/etc/nginx/conf.d`).
  - `YANPM_AGENT_SOCK_PERM` — socket permissions (octal string, default `660`).
  - `YANPM_AGENT_SOCK_GID` — desired GID for the socket (optional).
  - `YANPM_AGENT_UID`, `YANPM_AGENT_GID` — runtime UID/GID used to create the `yanpm-agent` user in the container.
 - How the agent uses these runtime helpers:
  - `ValidateCommand` and `ReloadCommand` in the agent code try `nginx` operations directly; when permission problems occur they attempt the privileged wrappers via `sudo -n /usr/local/sbin/yanpm-nginx-validate` or `...-validate-file` and `...-reload`. The cont-init script's wrappers plus the sudoers entry implement that intended secure upgrade path.
 - Notes and recommendations:
  - The `validate-file` wrapper performs ownership and permission checks; ensure written fragments are created by the `yanpm-agent` user (the agent writes files as that user when running inside the container due to `10-create-app-user`).
  - The cont-init scripts attempt to install `sudo` if missing; in minimal images you may prefer providing `sudo` at build time to avoid runtime installation attempts.
  - If you bind-mount host directories (e.g., `/etc/nginx/conf.d`) into the container, ensure ownership and permissions are compatible with the agent user and `YANPM_AGENT_SOCK_GID` so the socket and files are accessible as intended.
--- a/apps/agent/doc/troubleshooting.md
+++ b/apps/agent/doc/troubleshooting.md
@@ -0,0 +1,27 @@
 # Troubleshooting
 Common issues and how to resolve them
 - Socket path exists but is not a socket
  - Symptom: startup fails with an error that the socket path exists and is not a socket.
  - Fix: remove the file at the socket path or choose a different `--sock` path.
 - Permission denied on socket directory or socket
  - Symptom: socket creation or permission setting logs warnings; clients cannot connect.
  - Fix: ensure the socket directory exists and has correct ownership/group and that `sock_perm` and `sock_gid` are configured appropriately. Consider using `chown`/`chmod` from a privileged context.
 - `nginx -t` fails with `/run/nginx.pid: Permission denied`
  - Symptom: validation fails; output contains permission denied for `/run/nginx.pid`.
  - Fixes (tried by the agent):
    1. If available, provide a privileged validation wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate`) that runs `nginx -t` with appropriate privileges.
    2. Ensure the agent-runner has permission to read the main nginx configuration and `/run/nginx.pid` or allow the agent to use a writable PID override.
 - Fragment file not found during validation
  - Symptom: validate returns 500 with message `Config file not found`.
  - Fix: make sure the fragment has been written via `/write_config` to the agent's internal subdirectory under `NGINX_CONFIG_DIR`, using the same `config_name` and `timestamp` as the validate call.
 - Wrapper or sudo not available
  - Symptom: attempts to run `sudo -n /usr/local/sbin/yanpm-nginx-validate` fail.
  - Fix: install a wrapper script that allows unprivileged `sudo -n` validation or configure proper permissions on nginx state files.
 If none of the above solves the problem, collect the logs produced by the agent (it uses `tracing`/`tracing_subscriber`) and include the exact command outputs from the validation steps when asking for help.
--- a/apps/agent/doc/usage.md
+++ b/apps/agent/doc/usage.md
@@ -0,0 +1,61 @@
 # Usage and Examples
 Running locally (development)
 1. Build the agent (from repository root):
   ```sh
   cargo build -p agent
   ```
 2. Run the agent with defaults (socket in current directory):
   ```sh
   ./target/debug/yanpm-agent
   ```
 3. Run with explicit socket and nginx config directory:
   ```sh
   ./target/debug/yanpm-agent --sock /run/yanpm/yanpm-agent.sock --nginx-config-dir /etc/nginx/conf.d
   ```
 HTTP over unix-socket examples (using `socat` / `curl` helper)
 If you want to call the API from the shell, you can use `socat` to convert the unix socket to an HTTP stream, or use tools that support unix sockets directly (e.g. `curl --unix-socket`). Examples below use `curl --unix-socket`.
 Validate a fragment by name and timestamp:
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890}'
 ```
 Validate and reload (returns `rc` and `ro`):
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate_and_reload \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890}'
 ```
 Write a fragment (create or update):
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/write_config \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890,"content":"server { listen 80; server_name example.local; }"}'
 ```
 Status endpoint (health)
 ```sh
 curl --unix-socket ./yanpm-agent.sock http://localhost/status
 ```
 Notes
 - Use the `config_name` and `timestamp` fields consistently: `timestamp` is typically a monotonic update ID from the caller ensuring unique file names.
 - When running in containers, mount the host nginx config dir if you want the agent to write directly to host nginx configuration.
 - The repository includes a runtime Docker image built by `apps/agent/Dockerfile` which bundles `nginx` and the `yanpm-agent` binary (via s6-overlay). Use that image when you want nginx and the agent colocated (the agent is intended as a runtime companion to `apps/api`).
--- a/apps/agent/src/commands/validate.rs
+++ b/apps/agent/src/commands/validate.rs
@@ -1,4 +1,4 @@
-use tracing::{error, info, warn};
+use tracing::{info, warn};
 use crate::commands::{run::run_cmd, write_config::INTERNAL_CONFIG_FOLDER_NAME};
 use std::path::PathBuf;
--- a/apps/agent/src/main.rs
+++ b/apps/agent/src/main.rs
@@ -1,11 +1,12 @@
 #![forbid(unsafe_code)]
 mod commands;
 mod openapi;
 mod routes;
 use axum::routing::get;
 use axum::{Router, routing::post};
-use clap::{Arg, Command};
+use clap::Parser;
 use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 use std::sync::Arc;
@@ -13,12 +14,9 @@ use tokio::net::UnixListener;
 use tracing::{error, info, warn};
 use crate::commands::NginxService;
 use crate::openapi::{GenerateOpenapiArgs, generate_openapi_doc};
 use crate::routes::{status, validate, validate_and_reload, write_config};
 const SOCK_ARG: &str = "sock";
 const NGINX_CONFIG_DIR_ARG: &str = "nginx_config_dir";
 const SOCK_PERM_ARG: &str = "sock_perm";
 const SOCK_GID_ARG: &str = "sock_gid";
 const SOCK_ENV: &str = "YANPM_AGENT_SOCK";
 const SOCK_PERM_ENV: &str = "YANPM_AGENT_SOCK_PERM";
 const NGINX_CONFIG_DIR_ENV: &str = "YANPM_NGINX_CONFIG_DIR";
@@ -28,6 +26,40 @@ const NGINX_CONFIG_DIR_DEFAULT: &str = "/etc/nginx/conf.d";
 const SOCK_PERM_DEFAULT: &str = "660";
 const SOCK_GID_DEFAULT: &str = "";
 /// Command line arguments
 #[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None)]
 struct Args {
    /// Unix socket path to bind the agent daemon to
    #[arg(short = 's', long, default_value_t = String::from(SOCK_DEFAULT), env = SOCK_ENV)]
    sock: String,
    /// Directory where generated nginx config files will be written
    #[arg(short = 'd', long, default_value_t = String::from(NGINX_CONFIG_DIR_DEFAULT), env = NGINX_CONFIG_DIR_ENV)]
    nginx_config_dir: String,
    /// Permissions to set on the unix socket (in octal), e.g. 660
    #[arg(long, default_value_t = String::from(SOCK_PERM_DEFAULT), env = SOCK_PERM_ENV)]
    sock_perm: String,
    /// GID to set on the unix socket, default: current user's primary group
    #[arg(long, default_value_t = String::from(SOCK_GID_DEFAULT), env = SOCK_GID_ENV)]
    sock_gid: String,
    #[command(subcommand)]
    command: Option<SubCommand>,
 }
 #[derive(clap::Subcommand, Debug)]
 pub enum SubCommand {
    /// Generate OpenAPI spec to file or stdout
    GenerateOpenapi {
        /// Output file path.
        #[arg(short = 'o', long)]
        output: String,
    },
 }
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let subscriber = tracing_subscriber::fmt()
@@ -40,39 +72,19 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    tracing::subscriber::set_global_default(subscriber)
        .expect("Failed to set global default subscriber");
-    let args = Command::new("yanpm-agent")
+    let args = Args::parse();
-        .arg(
+
-            Arg::new(SOCK_ARG)
+    if let Some(cmd) = &args.command {
-                .short('s')
+        match cmd {
-                .long("sock")
+            SubCommand::GenerateOpenapi { output } => {
-                .value_name("SOCK_PATH")
+                generate_openapi_doc(&GenerateOpenapiArgs {
-                .help("Unix socket path to bind the agent daemon to")
+                    output: output.clone(),
-                .required(false),
+                })
-        )
+                .await?;
-        .arg(
+                return Ok(());
-            Arg::new(NGINX_CONFIG_DIR_ARG)
+            }
-                .short('d')
+        }
-                .long("nginx-config-dir")
+    }
                .value_name("NGINX_CONFIG_DIR")
                .help("Directory where generated nginx config files will be written")
                .required(false),
        )
        .arg(
            Arg::new(SOCK_PERM_ARG)
                .long("sock-perm")
                .value_name("SOCK_PERM")
                .help("Permissions to set on the unix socket (in octal), e.g. 660")
                .required(false),
        )
        .arg(
            Arg::new(SOCK_GID_ARG)
                .long("sock-gid")
                .value_name("SOCK_GID")
                .help("GID to set on the unix socket, default: current user's primary group")
                .required(false),
        )
        .about("YANPM Agent Daemon")
        .get_matches();
    let (sock, nginx_config_dir, sock_perm, sock_gid) = get_args(&args).await?;
@@ -175,32 +187,12 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
 }
 async fn get_args(
-    args: &clap::ArgMatches,
+    args: &Args,
 ) -> Result<(String, String, u32, String), Box<dyn std::error::Error + Send + Sync>> {
-    let sock = args
+    let sock = args.sock.clone();
-        .get_one::<String>(SOCK_ARG)
+    let nginx_config_dir = args.nginx_config_dir.clone();
-        .cloned()
+    let sock_perm = args.sock_perm.clone();
-        .unwrap_or_else(|| std::env::var(SOCK_ENV).unwrap_or_else(|_| SOCK_DEFAULT.to_string()));
+    let sock_gid = args.sock_gid.clone();
    let nginx_config_dir = args
        .get_one::<String>(NGINX_CONFIG_DIR_ARG)
        .cloned()
        .unwrap_or_else(|| {
            std::env::var(NGINX_CONFIG_DIR_ENV)
                .unwrap_or_else(|_| NGINX_CONFIG_DIR_DEFAULT.to_string())
        });
    let sock_perm = args
        .get_one::<String>(SOCK_PERM_ARG)
        .cloned()
        .unwrap_or_else(|| {
            std::env::var(SOCK_PERM_ENV).unwrap_or_else(|_| SOCK_PERM_DEFAULT.to_string())
        });
    let sock_gid = args
        .get_one::<String>(SOCK_GID_ARG)
        .cloned()
        .unwrap_or_else(|| {
            std::env::var(SOCK_GID_ENV).unwrap_or_else(|_| SOCK_GID_DEFAULT.to_string())
        });
    if sock_perm.len() != 3 || !sock_perm.chars().all(|c| ('0'..='7').contains(&c)) {
        return Err(std::io::Error::new(
--- a/apps/agent/src/openapi.rs
+++ b/apps/agent/src/openapi.rs
@@ -0,0 +1,45 @@
 use tracing::info;
 use utoipa::OpenApi;
 pub mod tag {
    /// nginx
    pub const NGINX_TAG: &str = "Nginx Agent";
 }
 #[derive(utoipa::OpenApi)]
 #[openapi(
  paths(
    crate::routes::status,
    crate::routes::validate,
    crate::routes::validate_and_reload,
    crate::routes::write_config,
  ),
  components(
      schemas(crate::routes::StatusResp),
      schemas(crate::routes::ValidateAndReloadResp),
      schemas(crate::routes::ValidateBody),
      schemas(crate::routes::WriteConfigBody),
      schemas(crate::routes::ValidateAndReloadBody),
  ),
  tags(
      (name = tag::NGINX_TAG, description = "Nginx Agent API"),
  )
 )]
 struct ApiDoc;
 pub struct GenerateOpenapiArgs {
    pub output: String,
 }
 pub async fn generate_openapi_doc(
    args: &GenerateOpenapiArgs,
 ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    info!("Generating OpenAPI documentation...");
    let doc = ApiDoc::openapi();
    let json = doc
        .to_pretty_json()
        .expect("Failed to serialize OpenAPI doc to JSON");
    std::fs::write(&args.output, json).expect("Failed to write OpenAPI doc to file");
    info!("OpenAPI documentation generated at {}", args.output);
    Ok(())
 }
--- a/apps/agent/src/routes.rs
+++ b/apps/agent/src/routes.rs
@@ -9,28 +9,46 @@ use tracing::warn;
 use crate::commands::NginxService;
-#[derive(Serialize)]
+#[derive(Serialize, utoipa::ToSchema)]
 pub struct StatusResp {
    pub ok: bool,
 }
 /// Health check endpoint
 #[utoipa::path(
    get,
    path = "/status",
    responses(
        (status = 200, description = "Status response", body = StatusResp)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn status() -> impl IntoResponse {
    let resp = StatusResp { ok: true };
    (axum::http::StatusCode::OK, axum::Json(resp))
 }
-#[derive(Serialize)]
+#[derive(Serialize, utoipa::ToSchema)]
 pub struct ValidateAndReloadResp {
    pub rc: i32,
    pub ro: String,
 }
-#[derive(Deserialize)]
+#[derive(Deserialize, utoipa::ToSchema)]
 pub struct ValidateBody {
    config_name: String,
    timestamp: u64,
 }
 #[utoipa::path(
    post,
    path = "/validate",
    request_body = ValidateBody,
    responses(
        (status = 200, description = "Validation response", body = serde_json::Value)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn validate(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
@@ -57,12 +75,21 @@ pub async fn validate(
    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
 }
-#[derive(Deserialize)]
+#[derive(Deserialize, utoipa::ToSchema)]
 pub struct ValidateAndReloadBody {
    config_name: String,
    timestamp: u64,
 }
 #[utoipa::path(
    post,
    path = "/validate_and_reload",
    request_body = ValidateAndReloadBody,
    responses(
        (status = 200, description = "Validate and reload response", body = ValidateAndReloadResp)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn validate_and_reload(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
@@ -96,13 +123,23 @@ pub async fn validate_and_reload(
    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
 }
-#[derive(Deserialize)]
+#[derive(Deserialize, utoipa::ToSchema)]
 pub struct WriteConfigBody {
    config_name: String,
    timestamp: u64,
    content: String,
 }
 #[utoipa::path(
    post,
    path = "/write_config",
    request_body = WriteConfigBody,
    responses(
        (status = 200, description = "Write config response"),
        (status = 500, description = "Internal server error", body = serde_json::Value)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn write_config(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
--- a/apps/agent/swagger.json
+++ b/apps/agent/swagger.json
@@ -0,0 +1,215 @@
 {
  "openapi": "3.1.0",
  "info": {
    "title": "yanpm-agent",
    "description": "",
    "license": {
      "name": ""
    },
    "version": "0.1.0"
  },
  "paths": {
    "/status": {
      "get": {
        "tags": [
          "Nginx Agent"
        ],
        "summary": "Health check endpoint",
        "operationId": "status",
        "responses": {
          "200": {
            "description": "Status response",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/StatusResp"
                }
              }
            }
          }
        }
      }
    },
    "/validate": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "validate",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/ValidateBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Validation response",
            "content": {
              "application/json": {
                "schema": {}
              }
            }
          }
        }
      }
    },
    "/validate_and_reload": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "validate_and_reload",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/ValidateAndReloadBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Validate and reload response",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ValidateAndReloadResp"
                }
              }
            }
          }
        }
      }
    },
    "/write_config": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "write_config",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/WriteConfigBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Write config response"
          },
          "500": {
            "description": "Internal server error",
            "content": {
              "application/json": {
                "schema": {}
              }
            }
          }
        }
      }
    }
  },
  "components": {
    "schemas": {
      "StatusResp": {
        "type": "object",
        "required": [
          "ok"
        ],
        "properties": {
          "ok": {
            "type": "boolean"
          }
        }
      },
      "ValidateAndReloadBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      },
      "ValidateAndReloadResp": {
        "type": "object",
        "required": [
          "rc",
          "ro"
        ],
        "properties": {
          "rc": {
            "type": "integer",
            "format": "int32"
          },
          "ro": {
            "type": "string"
          }
        }
      },
      "ValidateBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      },
      "WriteConfigBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp",
          "content"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "content": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      }
    }
  },
  "tags": [
    {
      "name": "Nginx Agent",
      "description": "Nginx Agent API"
    }
  ]
 }
--- a/apps/api/Cargo.toml
+++ b/apps/api/Cargo.toml
@@ -6,6 +6,7 @@ edition = "2024"
 [dependencies]
 database = { path = "../../public/database" }
 migration = { path = "../../public/migration" }
 agent_client = { path = "../../public/agent-client" }
 axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
 axum-extra = { version = "0.12.2", features = ["cookie"] }
@@ -28,4 +29,10 @@ argon2 = { version = "0.5.3", features = ["std"] }
 jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 uuid = { version = "1.19.0", features = ["v4", "serde", "fast-rng"] }
 tower-http = { version = "0.6.8", features = ["cors"] }
 reqwest = { version = "^0.12", features = ["json", "multipart", "stream"] }
 [dev-dependencies]
 tempfile = "3"
 [lints.clippy]
 unwrap_used = "deny"
--- a/apps/api/src/cmd/generate_openapi.rs
+++ b/apps/api/src/cmd/generate_openapi.rs
@@ -28,7 +28,7 @@ fn action(
    _matches: &clap::ArgMatches,
 ) -> std::pin::Pin<Box<dyn std::future::Future<Output = ()> + Send>> {
    let output_path = _matches.get_one::<String>("output_path");
-    let output_path = output_path.unwrap().to_string();
+    let output_path = output_path.expect("output_path is required").to_string();
    Box::pin(async move {
        tracing::subscriber::with_default(log::make_temporary_subscriber(), || {
--- a/apps/api/src/cmd/start_server.rs
+++ b/apps/api/src/cmd/start_server.rs
@@ -11,15 +11,8 @@ use crate::{
    cmd::CliCommand,
    configs::{ProgramSettings, get_program_settings, logging::LoggingSettings},
    log,
-    routes::{self, AppService, AppState},
+    routes::{self, AppState},
-    services::{
+    services::get_app_service,
        auth::{
            authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
            user::UserServiceImpl,
        },
        server_state::ServerStateService,
        settings::SettingsService,
    },
    tasks,
 };
@@ -148,19 +141,7 @@ fn get_app_state(
    AppState {
        database_connection: db_connection.clone(),
        config: Arc::new(settings.clone()),
-        service: Arc::new(AppService {
+        service: Arc::new(get_app_service(db_connection, settings)),
            server_state: Arc::new(ServerStateService::new(db_connection.clone())),
            settings: Arc::new(SettingsService::new(db_connection.clone())),
            auth_state: routes::AuthState {
                strategy: routes::AuthStrategy {
                    password: Arc::new(PasswordStrategy::new(db_connection.clone())),
                },
                authentication: Arc::new(AuthenticationServiceImpl::new(
                    settings.auth.jwt_secret.clone(),
                )),
            },
            user: Arc::new(UserServiceImpl::new(db_connection.clone())),
        }),
    }
 }
--- a/apps/api/src/configs.rs
+++ b/apps/api/src/configs.rs
@@ -1,3 +1,4 @@
 pub mod agent;
 pub mod auth;
 pub mod database;
 pub mod logging;
@@ -21,6 +22,7 @@ pub struct ProgramSettings {
    pub database: database::DatabaseSettings,
    pub server: server::ServerSettings,
    pub auth: auth::AuthSettings,
    pub agent: agent::AgentSettings,
 }
 impl FromConfig for ProgramSettings {
@@ -30,6 +32,7 @@ impl FromConfig for ProgramSettings {
            database: database::DatabaseSettings::from_config(_config)?,
            server: server::ServerSettings::from_config(_config)?,
            auth: auth::AuthSettings::from_config(_config)?,
            agent: agent::AgentSettings::from_config(_config)?,
        };
        config.validate()?;
        Ok(config)
@@ -50,6 +53,7 @@ impl FromConfig for ProgramSettings {
            database: database::DatabaseSettings::mock(),
            server: server::ServerSettings::mock(),
            auth: auth::AuthSettings::mock(),
            agent: agent::AgentSettings::mock(),
        }
    }
 }
--- a/apps/api/src/configs/agent.rs
+++ b/apps/api/src/configs/agent.rs
@@ -0,0 +1,58 @@
 use config::Config;
 use tracing::error;
 use crate::configs::key::AGENT_SOCK_PATH_KEY;
 use super::FromConfig;
 #[derive(Debug, Clone)]
 pub struct AgentSettings {
    pub socket_path: String,
 }
 impl FromConfig for AgentSettings {
    fn from_config(_config: &Config) -> Result<Self, String> {
        Ok(AgentSettings {
            socket_path: _config.get_string(AGENT_SOCK_PATH_KEY).map_err(|err| {
                format!(
                    "Failed to get {} from configuration. Err: {}",
                    AGENT_SOCK_PATH_KEY, err
                )
            })?,
        })
    }
    fn validate(&self) -> Result<(), String> {
        // ensure socket_path exists and is readable and writable
        if !std::path::Path::new(&self.socket_path).exists() {
            let msg = format!("Agent socket path '{}' does not exist", self.socket_path);
            error!("{}", msg);
            return Err(msg);
        }
        if std::path::Path::new(&self.socket_path)
            .metadata()
            .map(|meta| {
                let permissions = meta.permissions();
                // Check read and write permissions for the owner
                !permissions.readonly()
            })
            .unwrap_or(false)
        {
            Ok(())
        } else {
            let msg = format!(
                "Agent socket path '{}' is not readable/writable",
                self.socket_path
            );
            error!("{}", msg);
            Err(msg)
        }
    }
    #[cfg(test)]
    fn mock() -> Self {
        AgentSettings {
            socket_path: "/tmp/agent.sock".to_string(),
        }
    }
 }
--- a/apps/api/src/configs/key.rs
+++ b/apps/api/src/configs/key.rs
@@ -14,3 +14,5 @@ pub(crate) const DATABASE_MIGRATE_ON_STARTUP_KEY: &str = "DATABASE.MIGRATION.MIG
 pub(crate) const AUTH_JWT_SECRET_KEY: &str = "AUTH.JWT_SECRET";
 pub(crate) const AUTH_DEFAULT_ADMIN_USERNAME_KEY: &str = "AUTH.DEFAULT_ADMIN_USERNAME";
 pub(crate) const AUTH_DEFAULT_ADMIN_PASSWORD_KEY: &str = "AUTH.DEFAULT_ADMIN_PASSWORD";
 //
 pub(crate) const AGENT_SOCK_PATH_KEY: &str = "AGENT.SOCK.PATH";
--- a/apps/api/src/configs/server.rs
+++ b/apps/api/src/configs/server.rs
@@ -121,7 +121,7 @@ impl FromConfig for ServerSettings {
    #[cfg(test)]
    fn mock() -> Self {
        ServerSettings {
-            address: "0.0.0.0".parse().unwrap(),
+            address: "0.0.0.0".parse().expect("Failed to parse mock IP address"),
            port: 8080,
            serve_openapi: false,
            cors: CORSSettings {
--- a/apps/api/src/routes.rs
+++ b/apps/api/src/routes.rs
@@ -12,12 +12,8 @@ use crate::{
    configs::{ProgramSettings, server::CORSSettings},
    middlewares,
    services::{
-        auth::{
+        AppService, ServiceState,
-            authentication::{AuthenticationService, strategies::password::PasswordStrategy},
+        auth::authentication::{AuthenticationService, strategies::password::PasswordStrategy},
            user::UserService,
        },
        server_state::ServerStateStore,
        settings::SettingsStore,
    },
 };
@@ -28,8 +24,6 @@ pub struct AppState {
    pub config: Arc<ProgramSettings>,
 }
 pub type ServiceState<T> = Arc<T>;
 pub struct AuthStrategy {
    pub password: ServiceState<PasswordStrategy>,
 }
@@ -39,13 +33,6 @@ pub struct AuthState {
    pub authentication: ServiceState<dyn AuthenticationService>,
 }
 pub struct AppService {
    pub settings: ServiceState<dyn SettingsStore>,
    pub auth_state: AuthState,
    pub user: ServiceState<dyn UserService>,
    pub server_state: ServiceState<dyn ServerStateStore>,
 }
 pub fn get_root_router(
    state: impl Into<Arc<AppState>>,
    cors_settings: Arc<CORSSettings>,
--- a/apps/api/src/routes/api/health/info.rs
+++ b/apps/api/src/routes/api/health/info.rs
@@ -79,6 +79,7 @@ pub async fn get_health_info(
 #[cfg(test)]
 mod test {
    use crate::configs::FromConfig;
    use crate::services::agent_client::AgentService;
    use crate::{
        routes::{AppState, api::health::state::HealthState},
        services::{
@@ -94,6 +95,7 @@ mod test {
    };
    use super::*;
    use agent_client::apis::configuration::Configuration;
    use axum::body::to_bytes;
    use axum::{
        Router,
@@ -124,6 +126,7 @@ mod test {
                },
                user: Arc::new(UserServiceImpl::new(db.clone())),
                server_state: Arc::new(ServerStateService::new(db.clone())),
                agent_client: Arc::new(AgentService::new(Configuration::default())),
            }),
        });
@@ -135,13 +138,21 @@ mod test {
            }));
        let response = app
-            .oneshot(Request::builder().uri("/info").body(Body::empty()).unwrap())
+            .oneshot(
                Request::builder()
                    .uri("/info")
                    .body(Body::empty())
                    .expect("Failed to build request"),
            )
            .await
            .unwrap();
        assert_eq!(response.status(), StatusCode::OK);
-        let body = to_bytes(response.into_body(), 1024 * 1024).await.unwrap(); // Set limit to 1 MB
+        let body = to_bytes(response.into_body(), 1024 * 1024)
-        let health_info: HealthInfo = serde_json::from_slice(&body).unwrap();
+            .await
            .expect("Failed to read response body"); // Set limit to 1 MB
        let health_info: HealthInfo =
            serde_json::from_slice(&body).expect("Failed to deserialize response body");
        assert_eq!(health_info.status, STATUS_HEALTHY);
        assert_eq!(health_info.version, env!("CARGO_PKG_VERSION"));
        assert!(health_info.errors.is_none());
--- a/apps/api/src/services.rs
+++ b/apps/api/src/services.rs
@@ -1,3 +1,54 @@
 pub mod agent_client;
 pub mod auth;
 pub mod server_state;
 pub mod settings;
 use std::sync::Arc;
 use ::agent_client::apis::configuration::Configuration;
 use crate::{
    configs::ProgramSettings,
    routes::{self, AuthState},
    services::{
        auth::{
            authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
            user::{UserService, UserServiceImpl},
        },
        server_state::{ServerStateService, ServerStateStore},
        settings::{SettingsService, SettingsStore},
    },
 };
 pub type ServiceState<T> = Arc<T>;
 pub struct AppService {
    pub settings: ServiceState<dyn SettingsStore>,
    pub auth_state: AuthState,
    pub user: ServiceState<dyn UserService>,
    pub server_state: ServiceState<dyn ServerStateStore>,
    #[allow(dead_code)]
    pub agent_client: ServiceState<agent_client::AgentService>,
 }
 pub fn get_app_service(
    db_connection: &Arc<sea_orm::DatabaseConnection>,
    settings: &ProgramSettings,
 ) -> AppService {
    AppService {
        server_state: Arc::new(ServerStateService::new(db_connection.clone())),
        settings: Arc::new(SettingsService::new(db_connection.clone())),
        auth_state: routes::AuthState {
            strategy: routes::AuthStrategy {
                password: Arc::new(PasswordStrategy::new(db_connection.clone())),
            },
            authentication: Arc::new(AuthenticationServiceImpl::new(
                settings.auth.jwt_secret.clone(),
            )),
        },
        user: Arc::new(UserServiceImpl::new(db_connection.clone())),
        agent_client: Arc::new(agent_client::AgentService::new(Configuration::from(
            settings.agent.clone(),
        ))),
    }
 }
--- a/apps/api/src/services/agent_client.rs
+++ b/apps/api/src/services/agent_client.rs
@@ -0,0 +1,114 @@
 use std::sync::Arc;
 use agent_client::apis::{ApiClient, configuration::Configuration};
 use tracing::warn;
 use crate::configs::agent::AgentSettings;
 pub struct AgentService {
    client: Arc<ApiClient>,
 }
 impl From<AgentSettings> for Configuration {
    fn from(settings: AgentSettings) -> Self {
        let mut config = Configuration::default();
        let mut builder = reqwest::Client::builder();
        let url = settings.socket_path;
        if url.starts_with("unix://") {
            builder = builder.unix_socket(url.to_string());
            config.client = builder.build().expect("Failed to build reqwest client");
        } else {
            warn!("AgentSettings contains a non-unix socket path: {}", url);
            config.base_path = url;
        }
        config
    }
 }
 impl AgentService {
    pub fn new(config: impl Into<Arc<Configuration>>) -> Self {
        let client = ApiClient::new(config.into());
        AgentService {
            client: Arc::new(client),
        }
    }
    #[allow(dead_code)]
    pub fn get_client(&self) -> Arc<ApiClient> {
        Arc::clone(&self.client)
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use agent_client::{
        apis::{Api, nginx_agent_api::StatusSuccess},
        models::StatusResp,
    };
    use axum::{http::StatusCode, response::Json};
    use std::time::Duration;
    use tempfile::tempdir;
    use tokio::time::sleep;
    #[test]
    fn test_agent_service_creation() {
        let config = Configuration::default();
        let service = AgentService::new(config);
        let client = service.get_client();
        assert!(Arc::ptr_eq(&client, &service.client));
    }
    #[tokio::test]
    async fn test_agent_socket_support() {
        // create temporary socket path
        let dir = tempdir().expect("Failed to create temp dir");
        let socket_path = dir.path().join("agent.sock");
        // create axum app with a simple /status route
        let app = axum::Router::new().route(
            "/status",
            axum::routing::get(|| async {
                let result: (StatusCode, StatusResp) = (StatusCode::OK, StatusResp { ok: true });
                (result.0, Json(result.1))
            }),
        );
        // bind tokio unix listener and serve in background
        let listener =
            tokio::net::UnixListener::bind(&socket_path).expect("Failed to bind to unix socket");
        let server_fut = axum::serve::serve(listener, app);
        let _srv = tokio::spawn(async move {
            let _ = server_fut.await;
        });
        // give server a moment to start
        sleep(Duration::from_millis(50)).await;
        let client: ApiClient = ApiClient::new(Arc::new(Configuration {
            base_path: "http://localhost".to_string(),
            client: reqwest::Client::builder()
                .unix_socket(socket_path.clone())
                .build()
                .expect("Failed to build reqwest client"),
            ..Default::default()
        }));
        let res = client
            .nginx_agent_api()
            .status()
            .await
            .expect("Failed to get status");
        let body = res.entity.expect("Response entity is missing");
        assert!(res.status.is_success());
        if let StatusSuccess::Status200(body) = body {
            assert!(body.ok);
        } else {
            panic!("Unexpected response body");
        }
    }
 }
--- a/apps/api/src/services/auth/authentication.rs
+++ b/apps/api/src/services/auth/authentication.rs
@@ -197,14 +197,17 @@ mod tests {
        let (token, _) = service
            .generate_jwt(user_id, 60)
            .await
-            .expect("generate jwt");
+            .expect("Failed to generate jwt");
        let valid = service
            .is_valid_jwt(&token, None)
            .await
-            .expect("validate jwt");
+            .expect("Failed to validate jwt");
        assert!(valid.is_some(), "Generated token should be valid");
-        let claims = service.parse_jwt(&token).await.expect("parse jwt");
+        let claims = service
            .parse_jwt(&token)
            .await
            .expect("Failed to parse jwt");
        assert_eq!(claims.sub, user_id.to_string());
    }
@@ -213,10 +216,16 @@ mod tests {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
-        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service
            .generate_jwt(user_id, 60)
            .await
            .expect("Failed to generate jwt");
        let other_sub = Uuid::new_v4().to_string();
-        let valid = service.is_valid_jwt(&token, Some(other_sub)).await.unwrap();
+        let valid = service
            .is_valid_jwt(&token, Some(other_sub))
            .await
            .expect("jwt is not valid");
        assert!(
            valid.is_none(),
            "Token should be invalid for a different subject"
@@ -236,10 +245,19 @@ mod tests {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
-        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service
-        let new_token = service.refresh_jwt(&token, 120).await.unwrap();
+            .generate_jwt(user_id, 60)
            .await
            .expect("Failed to generate jwt");
        let new_token = service
            .refresh_jwt(&token, 120)
            .await
            .expect("Failed to refresh jwt");
-        let claims = service.parse_jwt(&new_token).await.unwrap();
+        let claims = service
            .parse_jwt(&new_token)
            .await
            .expect("Failed to parse refreshed jwt");
        assert_eq!(claims.sub, user_id.to_string());
        assert_eq!(claims.exp - claims.iat, 120);
    }
@@ -249,10 +267,16 @@ mod tests {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
-        let (token, claims) = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, claims) = service
            .generate_jwt(user_id, 1)
            .await
            .expect("Failed to generate jwt");
        sleep(Duration::from_secs(2)).await;
-        let valid = service.is_valid_jwt(&token, None).await.unwrap();
+        let valid = service
            .is_valid_jwt(&token, None)
            .await
            .expect("Failed to validate jwt");
        assert!(
            valid.is_none(),
            "Token should be expired and thus invalid. Current time: {:?}. Diff: {}",
@@ -266,9 +290,15 @@ mod tests {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
-        let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, _) = service
            .generate_jwt(user_id, 1)
            .await
            .expect("Failed to generate jwt");
-        service.invalidate_jwt(&token).await.unwrap();
+        service
            .invalidate_jwt(&token)
            .await
            .expect("Failed to invalidate jwt");
        // ensure entry is present
        {
--- a/apps/api/src/services/auth/authentication/strategies/password.rs
+++ b/apps/api/src/services/auth/authentication/strategies/password.rs
@@ -236,7 +236,7 @@ mod test {
                "CorrectPassword".as_bytes(),
                &SaltString::generate(&mut OsRng),
            )
-            .unwrap()
+            .expect("Failed to hash password")
            .to_string();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![user::Model {
@@ -281,7 +281,7 @@ mod test {
                "CorrectPassword".as_bytes(),
                &SaltString::generate(&mut OsRng),
            )
-            .unwrap()
+            .expect("Failed to hash password")
            .to_string();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![user::Model {
--- a/30
+++ b/30
@@ -50,13 +50,31 @@ generate-openapi:
  # Generate API client for frontend
  cd apps/frontend && \
  pnpm generate:openapi
-  # Generate OpenAPI spec for agent
+  # Generate API client for agent
  cd apps/agent && \
-  cargo run -- --generate-openapi --openapi-output ./openapi.yaml
+  cargo run -- generate-openapi --output swagger.json
  # TODO: Generate API client for agent in api
 generate-agent-client:
  # Generate API client for agent
  pnpm openapi-generator-cli generate \
  -g rust --skip-validate-spec \
  -o ./public/agent-client -i ./apps/agent/swagger.json \
  --additional-properties=library=reqwest-trait \
  --additional-properties=mockall=true \
  --additional-properties=packageName=agent_client \
  --additional-properties=packageVersion=0.1.0 \
  --additional-properties=supportAsync=true \
  --additional-properties=supportMultipleResponses=true \
  --additional-properties=topLevelApiClient=true \
  --additional-properties=useSingleRequestParameter=true
  # format generated code
  cd public/agent-client && \
  cargo fmt
  # append lint allows/forbids to the end of Cargo.toml to disable warnings in generated code and forbid unsafe code
  cd public/agent-client && \
  echo '\n[lints.clippy]\nall = "allow"\n[lints.rust]\nunsafe_code = "forbid"\n' >> Cargo.toml
-generate-all: generate-entity generate-openapi
+generate-all: generate-entity generate-openapi generate-agent-client
 build-frontend:
  # build frontend assets
@@ -68,6 +86,10 @@ build-backend:
  cd apps/api && \
  cargo build --release
 build-docker:
  cd apps/agent && \
  docker build -t yanpm/agent:latest .
 build-apps: build-frontend build-backend
 act *args:
--- a/openapitools.json
+++ b/openapitools.json
@@ -0,0 +1,7 @@
 {
  "$schema": "./node_modules/@openapitools/openapi-generator-cli/config.schema.json",
  "spaces": 2,
  "generator-cli": {
    "version": "7.18.0"
  }
 }
--- a/package.json
+++ b/package.json
@@ -0,0 +1,6 @@
 {
 	"devDependencies": {
 		"@openapitools/openapi-generator-cli": "^2.26.0",
 		"rust-just": "^1.44.0"
 	}
 }
--- a/apps/frontend/pnpm-lock.yaml
+++ b/apps/frontend/pnpm-lock.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,7 @@
 packages:
  - apps/frontend
 onlyBuiltDependencies:
  - '@nestjs/core'
  - '@openapitools/openapi-generator-cli'
  - esbuild
--- a/public/agent-client/.gitignore
+++ b/public/agent-client/.gitignore
@@ -0,0 +1,3 @@
 /target/
 **/*.rs.bk
 Cargo.lock
--- a/public/agent-client/.openapi-generator-ignore
+++ b/public/agent-client/.openapi-generator-ignore
@@ -0,0 +1,23 @@
 # OpenAPI Generator Ignore
 # Generated by openapi-generator https://github.com/openapitools/openapi-generator
 # Use this file to prevent files from being overwritten by the generator.
 # The patterns follow closely to .gitignore or .dockerignore.
 # As an example, the C# client generator defines ApiClient.cs.
 # You can make changes and tell OpenAPI Generator to ignore just this file by uncommenting the following line:
 #ApiClient.cs
 # You can match any string of characters against a directory, file or extension with a single asterisk (*):
 #foo/*/qux
 # The above matches foo/bar/qux and foo/baz/qux, but not foo/bar/baz/qux
 # You can recursively match patterns against a directory, file or extension with a double asterisk (**):
 #foo/**/qux
 # This matches foo/bar/qux, foo/baz/qux, and foo/bar/baz/qux
 # You can also negate patterns with an exclamation (!).
 # For example, you can ignore all files in a docs folder with the file extension .md:
 #docs/*.md
 # Then explicitly reverse the ignore rule for a single file:
 #!docs/README.md
--- a/public/agent-client/.openapi-generator/FILES
+++ b/public/agent-client/.openapi-generator/FILES
@@ -0,0 +1,21 @@
 .gitignore
 .travis.yml
 Cargo.toml
 README.md
 docs/NginxAgentApi.md
 docs/StatusResp.md
 docs/ValidateAndReloadBody.md
 docs/ValidateAndReloadResp.md
 docs/ValidateBody.md
 docs/WriteConfigBody.md
 git_push.sh
 src/apis/configuration.rs
 src/apis/mod.rs
 src/apis/nginx_agent_api.rs
 src/lib.rs
 src/models/mod.rs
 src/models/status_resp.rs
 src/models/validate_and_reload_body.rs
 src/models/validate_and_reload_resp.rs
 src/models/validate_body.rs
 src/models/write_config_body.rs
--- a/public/agent-client/.openapi-generator/VERSION
+++ b/public/agent-client/.openapi-generator/VERSION
@@ -0,0 +1 @@
 7.18.0
--- a/public/agent-client/.travis.yml
+++ b/public/agent-client/.travis.yml
@@ -0,0 +1 @@
 language: rust
--- a/public/agent-client/Cargo.toml
+++ b/public/agent-client/Cargo.toml
@@ -0,0 +1,27 @@
 [package]
 name = "agent_client"
 version = "0.1.0"
 authors = ["OpenAPI Generator team and contributors"]
 description = "No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)"
 license = ""
 edition = "2021"
 [dependencies]
 serde = { version = "^1.0", features = ["derive"] }
 serde_json = "^1.0"
 serde_repr = "^0.1"
 url = "^2.5"
 async-trait = "^0.1"
 reqwest = { version = "^0.12", default-features = false, features = ["json", "multipart", "stream"] }
 mockall = { version = "^0.13", optional = true}
 [features]
 default = ["native-tls"]
 native-tls = ["reqwest/native-tls"]
 rustls-tls = ["reqwest/rustls-tls"]
 mockall = ["dep:mockall"]
 [lints.clippy]
 all = "allow"
 [lints.rust]
 unsafe_code = "forbid"
--- a/public/agent-client/README.md
+++ b/public/agent-client/README.md
@@ -0,0 +1,53 @@
 # Rust API client for agent_client
 No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 ## Overview
 This API client was generated by the [OpenAPI Generator](https://openapi-generator.tech) project.  By using the [openapi-spec](https://openapis.org) from a remote server, you can easily generate an API client.
 - API version: 0.1.0
 - Package version: 0.1.0
 - Generator version: 7.18.0
 - Build package: `org.openapitools.codegen.languages.RustClientCodegen`
 ## Installation
 Put the package under your project folder in a directory named `agent_client` and add the following to `Cargo.toml` under `[dependencies]`:
 ```
 agent_client = { path = "./agent_client" }
 ```
 ## Documentation for API Endpoints
 All URIs are relative to *http://localhost*
 Class | Method | HTTP request | Description
 ------------ | ------------- | ------------- | -------------
 *NginxAgentApi* | [**status**](docs/NginxAgentApi.md#status) | **GET** /status | Health check endpoint
 *NginxAgentApi* | [**validate**](docs/NginxAgentApi.md#validate) | **POST** /validate | 
 *NginxAgentApi* | [**validate_and_reload**](docs/NginxAgentApi.md#validate_and_reload) | **POST** /validate_and_reload | 
 *NginxAgentApi* | [**write_config**](docs/NginxAgentApi.md#write_config) | **POST** /write_config | 
 ## Documentation For Models
 - [StatusResp](docs/StatusResp.md)
 - [ValidateAndReloadBody](docs/ValidateAndReloadBody.md)
 - [ValidateAndReloadResp](docs/ValidateAndReloadResp.md)
 - [ValidateBody](docs/ValidateBody.md)
 - [WriteConfigBody](docs/WriteConfigBody.md)
 To get access to the crate's generated documentation, use:
 ```
 cargo doc --open
 ```
 ## Author
--- a/public/agent-client/docs/NginxAgentApi.md
+++ b/public/agent-client/docs/NginxAgentApi.md
@@ -0,0 +1,121 @@
 # \NginxAgentApi
 All URIs are relative to *http://localhost*
 Method | HTTP request | Description
 ------------- | ------------- | -------------
 [**status**](NginxAgentApi.md#status) | **GET** /status | Health check endpoint
 [**validate**](NginxAgentApi.md#validate) | **POST** /validate | 
 [**validate_and_reload**](NginxAgentApi.md#validate_and_reload) | **POST** /validate_and_reload | 
 [**write_config**](NginxAgentApi.md#write_config) | **POST** /write_config | 
 ## status
 > models::StatusResp status()
 Health check endpoint
 ### Parameters
 This endpoint does not need any parameter.
 ### Return type
 [**models::StatusResp**](StatusResp.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## validate
 > serde_json::Value validate(validate_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **validate_body** | [**ValidateBody**](ValidateBody.md) |  | [required] |
 ### Return type
 [**serde_json::Value**](serde_json::Value.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## validate_and_reload
 > models::ValidateAndReloadResp validate_and_reload(validate_and_reload_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **validate_and_reload_body** | [**ValidateAndReloadBody**](ValidateAndReloadBody.md) |  | [required] |
 ### Return type
 [**models::ValidateAndReloadResp**](ValidateAndReloadResp.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## write_config
 > write_config(write_config_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **write_config_body** | [**WriteConfigBody**](WriteConfigBody.md) |  | [required] |
 ### Return type
 (empty response body)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
--- a/public/agent-client/docs/StatusResp.md
+++ b/public/agent-client/docs/StatusResp.md
@@ -0,0 +1,11 @@
 # StatusResp
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **ok** | **bool** |  | 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/public/agent-client/docs/TagNginxtagApi.md
+++ b/public/agent-client/docs/TagNginxtagApi.md
@@ -0,0 +1,121 @@
 # \TagNginxtagApi
 All URIs are relative to *http://localhost*
 Method | HTTP request | Description
 ------------- | ------------- | -------------
 [**status**](TagNginxtagApi.md#status) | **GET** /status | Health check endpoint
 [**validate**](TagNginxtagApi.md#validate) | **POST** /validate | 
 [**validate_and_reload**](TagNginxtagApi.md#validate_and_reload) | **POST** /validate_and_reload | 
 [**write_config**](TagNginxtagApi.md#write_config) | **POST** /write_config | 
 ## status
 > models::StatusResp status()
 Health check endpoint
 ### Parameters
 This endpoint does not need any parameter.
 ### Return type
 [**models::StatusResp**](StatusResp.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## validate
 > serde_json::Value validate(validate_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **validate_body** | [**ValidateBody**](ValidateBody.md) |  | [required] |
 ### Return type
 [**serde_json::Value**](serde_json::Value.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## validate_and_reload
 > models::ValidateAndReloadResp validate_and_reload(validate_and_reload_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **validate_and_reload_body** | [**ValidateAndReloadBody**](ValidateAndReloadBody.md) |  | [required] |
 ### Return type
 [**models::ValidateAndReloadResp**](ValidateAndReloadResp.md)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 ## write_config
 > write_config(write_config_body)
 ### Parameters
 Name | Type | Description  | Required | Notes
 ------------- | ------------- | ------------- | ------------- | -------------
 **write_config_body** | [**WriteConfigBody**](WriteConfigBody.md) |  | [required] |
 ### Return type
 (empty response body)
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
--- a/public/agent-client/docs/ValidateAndReloadBody.md
+++ b/public/agent-client/docs/ValidateAndReloadBody.md
@@ -0,0 +1,12 @@
 # ValidateAndReloadBody
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **config_name** | **String** |  | 
 **timestamp** | **i64** |  | 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/public/agent-client/docs/ValidateAndReloadResp.md
+++ b/public/agent-client/docs/ValidateAndReloadResp.md
@@ -0,0 +1,12 @@
 # ValidateAndReloadResp
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **rc** | **i32** |  | 
 **ro** | **String** |  | 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/public/agent-client/docs/ValidateBody.md
+++ b/public/agent-client/docs/ValidateBody.md
@@ -0,0 +1,12 @@
 # ValidateBody
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **config_name** | **String** |  | 
 **timestamp** | **i64** |  | 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/public/agent-client/docs/WriteConfigBody.md
+++ b/public/agent-client/docs/WriteConfigBody.md
@@ -0,0 +1,13 @@
 # WriteConfigBody
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **config_name** | **String** |  | 
 **content** | **String** |  | 
 **timestamp** | **i64** |  | 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/public/agent-client/git_push.sh
+++ b/public/agent-client/git_push.sh
@@ -0,0 +1,57 @@
 #!/bin/sh
 # ref: https://help.github.com/articles/adding-an-existing-project-to-github-using-the-command-line/
 #
 # Usage example: /bin/sh ./git_push.sh wing328 openapi-petstore-perl "minor update" "gitlab.com"
 git_user_id=$1
 git_repo_id=$2
 release_note=$3
 git_host=$4
 if [ "$git_host" = "" ]; then
    git_host="github.com"
    echo "[INFO] No command line input provided. Set \$git_host to $git_host"
 fi
 if [ "$git_user_id" = "" ]; then
    git_user_id="GIT_USER_ID"
    echo "[INFO] No command line input provided. Set \$git_user_id to $git_user_id"
 fi
 if [ "$git_repo_id" = "" ]; then
    git_repo_id="GIT_REPO_ID"
    echo "[INFO] No command line input provided. Set \$git_repo_id to $git_repo_id"
 fi
 if [ "$release_note" = "" ]; then
    release_note="Minor update"
    echo "[INFO] No command line input provided. Set \$release_note to $release_note"
 fi
 # Initialize the local directory as a Git repository
 git init
 # Adds the files in the local repository and stages them for commit.
 git add .
 # Commits the tracked changes and prepares them to be pushed to a remote repository.
 git commit -m "$release_note"
 # Sets the new remote
 git_remote=$(git remote)
 if [ "$git_remote" = "" ]; then # git remote not defined
    if [ "$GIT_TOKEN" = "" ]; then
        echo "[INFO] \$GIT_TOKEN (environment variable) is not set. Using the git credential in your environment."
        git remote add origin https://${git_host}/${git_user_id}/${git_repo_id}.git
    else
        git remote add origin https://${git_user_id}:"${GIT_TOKEN}"@${git_host}/${git_user_id}/${git_repo_id}.git
    fi
 fi
 git pull origin master
 # Pushes (Forces) the changes in the local repository up to the remote repository
 echo "Git pushing to https://${git_host}/${git_user_id}/${git_repo_id}.git"
 git push origin master 2>&1 | grep -v 'To https'
--- a/public/agent-client/src/apis/configuration.rs
+++ b/public/agent-client/src/apis/configuration.rs
@@ -0,0 +1,48 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 #[derive(Debug, Clone)]
 pub struct Configuration {
    pub base_path: String,
    pub user_agent: Option<String>,
    pub client: reqwest::Client,
    pub basic_auth: Option<BasicAuth>,
    pub oauth_access_token: Option<String>,
    pub bearer_access_token: Option<String>,
    pub api_key: Option<ApiKey>,
 }
 pub type BasicAuth = (String, Option<String>);
 #[derive(Debug, Clone)]
 pub struct ApiKey {
    pub prefix: Option<String>,
    pub key: String,
 }
 impl Configuration {
    pub fn new() -> Configuration {
        Configuration::default()
    }
 }
 impl Default for Configuration {
    fn default() -> Self {
        Configuration {
            base_path: "http://localhost".to_owned(),
            user_agent: Some("OpenAPI-Generator/0.1.0/rust".to_owned()),
            client: reqwest::Client::new(),
            basic_auth: None,
            oauth_access_token: None,
            bearer_access_token: None,
            api_key: None,
        }
    }
 }
--- a/public/agent-client/src/apis/mod.rs
+++ b/public/agent-client/src/apis/mod.rs
@@ -0,0 +1,165 @@
 use std::error;
 use std::fmt;
 #[derive(Debug, Clone)]
 pub struct ResponseContent<T> {
    pub status: reqwest::StatusCode,
    pub content: String,
    pub entity: Option<T>,
 }
 #[derive(Debug)]
 pub enum Error<T> {
    Reqwest(reqwest::Error),
    Serde(serde_json::Error),
    Io(std::io::Error),
    ResponseError(ResponseContent<T>),
 }
 impl<T> fmt::Display for Error<T> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let (module, e) = match self {
            Error::Reqwest(e) => ("reqwest", e.to_string()),
            Error::Serde(e) => ("serde", e.to_string()),
            Error::Io(e) => ("IO", e.to_string()),
            Error::ResponseError(e) => ("response", format!("status code {}", e.status)),
        };
        write!(f, "error in {}: {}", module, e)
    }
 }
 impl<T: fmt::Debug> error::Error for Error<T> {
    fn source(&self) -> Option<&(dyn error::Error + 'static)> {
        Some(match self {
            Error::Reqwest(e) => e,
            Error::Serde(e) => e,
            Error::Io(e) => e,
            Error::ResponseError(_) => return None,
        })
    }
 }
 impl<T> From<reqwest::Error> for Error<T> {
    fn from(e: reqwest::Error) -> Self {
        Error::Reqwest(e)
    }
 }
 impl<T> From<serde_json::Error> for Error<T> {
    fn from(e: serde_json::Error) -> Self {
        Error::Serde(e)
    }
 }
 impl<T> From<std::io::Error> for Error<T> {
    fn from(e: std::io::Error) -> Self {
        Error::Io(e)
    }
 }
 pub fn urlencode<T: AsRef<str>>(s: T) -> String {
    ::url::form_urlencoded::byte_serialize(s.as_ref().as_bytes()).collect()
 }
 pub fn parse_deep_object(prefix: &str, value: &serde_json::Value) -> Vec<(String, String)> {
    if let serde_json::Value::Object(object) = value {
        let mut params = vec![];
        for (key, value) in object {
            match value {
                serde_json::Value::Object(_) => params.append(&mut parse_deep_object(
                    &format!("{}[{}]", prefix, key),
                    value,
                )),
                serde_json::Value::Array(array) => {
                    for (i, value) in array.iter().enumerate() {
                        params.append(&mut parse_deep_object(
                            &format!("{}[{}][{}]", prefix, key, i),
                            value,
                        ));
                    }
                }
                serde_json::Value::String(s) => {
                    params.push((format!("{}[{}]", prefix, key), s.clone()))
                }
                _ => params.push((format!("{}[{}]", prefix, key), value.to_string())),
            }
        }
        return params;
    }
    unimplemented!("Only objects are supported with style=deepObject")
 }
 /// Internal use only
 /// A content type supported by this client.
 #[allow(dead_code)]
 enum ContentType {
    Json,
    Text,
    Unsupported(String),
 }
 impl From<&str> for ContentType {
    fn from(content_type: &str) -> Self {
        if content_type.starts_with("application") && content_type.contains("json") {
            return Self::Json;
        } else if content_type.starts_with("text/plain") {
            return Self::Text;
        } else {
            return Self::Unsupported(content_type.to_string());
        }
    }
 }
 pub mod nginx_agent_api;
 pub mod configuration;
 use std::sync::Arc;
 pub trait Api {
    fn nginx_agent_api(&self) -> &dyn nginx_agent_api::NginxAgentApi;
 }
 pub struct ApiClient {
    nginx_agent_api: Box<dyn nginx_agent_api::NginxAgentApi>,
 }
 impl ApiClient {
    pub fn new(configuration: Arc<configuration::Configuration>) -> Self {
        Self {
            nginx_agent_api: Box::new(nginx_agent_api::NginxAgentApiClient::new(
                configuration.clone(),
            )),
        }
    }
 }
 impl Api for ApiClient {
    fn nginx_agent_api(&self) -> &dyn nginx_agent_api::NginxAgentApi {
        self.nginx_agent_api.as_ref()
    }
 }
 #[cfg(feature = "mockall")]
 pub struct MockApiClient {
    pub nginx_agent_api_mock: nginx_agent_api::MockNginxAgentApi,
 }
 #[cfg(feature = "mockall")]
 impl MockApiClient {
    pub fn new() -> Self {
        Self {
            nginx_agent_api_mock: nginx_agent_api::MockNginxAgentApi::new(),
        }
    }
 }
 #[cfg(feature = "mockall")]
 impl Api for MockApiClient {
    fn nginx_agent_api(&self) -> &dyn nginx_agent_api::NginxAgentApi {
        &self.nginx_agent_api_mock
    }
 }
--- a/public/agent-client/src/apis/nginx_agent_api.rs
+++ b/public/agent-client/src/apis/nginx_agent_api.rs
@@ -0,0 +1,329 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use super::{configuration, Error};
 use crate::apis::ContentType;
 use crate::{apis::ResponseContent, models};
 use async_trait::async_trait;
 #[cfg(feature = "mockall")]
 use mockall::automock;
 use reqwest;
 use serde::{de::Error as _, Deserialize, Serialize};
 use std::sync::Arc;
 #[cfg_attr(feature = "mockall", automock)]
 #[async_trait]
 pub trait NginxAgentApi: Send + Sync {
    /// GET /status
    ///
    ///
    async fn status(&self) -> Result<ResponseContent<StatusSuccess>, Error<StatusError>>;
    /// POST /validate
    ///
    ///
    async fn validate(
        &self,
        params: ValidateParams,
    ) -> Result<ResponseContent<ValidateSuccess>, Error<ValidateError>>;
    /// POST /validate_and_reload
    ///
    ///
    async fn validate_and_reload(
        &self,
        params: ValidateAndReloadParams,
    ) -> Result<ResponseContent<ValidateAndReloadSuccess>, Error<ValidateAndReloadError>>;
    /// POST /write_config
    ///
    ///
    async fn write_config(
        &self,
        params: WriteConfigParams,
    ) -> Result<ResponseContent<WriteConfigSuccess>, Error<WriteConfigError>>;
 }
 pub struct NginxAgentApiClient {
    configuration: Arc<configuration::Configuration>,
 }
 impl NginxAgentApiClient {
    pub fn new(configuration: Arc<configuration::Configuration>) -> Self {
        Self { configuration }
    }
 }
 /// struct for passing parameters to the method [`NginxAgentApi::validate`]
 #[derive(Clone, Debug)]
 pub struct ValidateParams {
    pub validate_body: models::ValidateBody,
 }
 /// struct for passing parameters to the method [`NginxAgentApi::validate_and_reload`]
 #[derive(Clone, Debug)]
 pub struct ValidateAndReloadParams {
    pub validate_and_reload_body: models::ValidateAndReloadBody,
 }
 /// struct for passing parameters to the method [`NginxAgentApi::write_config`]
 #[derive(Clone, Debug)]
 pub struct WriteConfigParams {
    pub write_config_body: models::WriteConfigBody,
 }
 #[async_trait]
 impl NginxAgentApi for NginxAgentApiClient {
    async fn status(&self) -> Result<ResponseContent<StatusSuccess>, Error<StatusError>> {
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/status", local_var_configuration.base_path);
        let mut local_var_req_builder =
            local_var_client.request(reqwest::Method::GET, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder
                .header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<StatusSuccess> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<StatusError> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn validate(
        &self,
        params: ValidateParams,
    ) -> Result<ResponseContent<ValidateSuccess>, Error<ValidateError>> {
        let ValidateParams { validate_body } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/validate", local_var_configuration.base_path);
        let mut local_var_req_builder =
            local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder
                .header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&validate_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<ValidateSuccess> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<ValidateError> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn validate_and_reload(
        &self,
        params: ValidateAndReloadParams,
    ) -> Result<ResponseContent<ValidateAndReloadSuccess>, Error<ValidateAndReloadError>> {
        let ValidateAndReloadParams {
            validate_and_reload_body,
        } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str =
            format!("{}/validate_and_reload", local_var_configuration.base_path);
        let mut local_var_req_builder =
            local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder
                .header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&validate_and_reload_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<ValidateAndReloadSuccess> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<ValidateAndReloadError> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn write_config(
        &self,
        params: WriteConfigParams,
    ) -> Result<ResponseContent<WriteConfigSuccess>, Error<WriteConfigError>> {
        let WriteConfigParams { write_config_body } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/write_config", local_var_configuration.base_path);
        let mut local_var_req_builder =
            local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder
                .header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&write_config_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<WriteConfigSuccess> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<WriteConfigError> =
                serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent {
                status: local_var_status,
                content: local_var_content,
                entity: local_var_entity,
            };
            Err(Error::ResponseError(local_var_error))
        }
    }
 }
 /// struct for typed successes of method [`NginxAgentApi::status`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum StatusSuccess {
    Status200(models::StatusResp),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`NginxAgentApi::validate`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateSuccess {
    Status200(serde_json::Value),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`NginxAgentApi::validate_and_reload`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateAndReloadSuccess {
    Status200(models::ValidateAndReloadResp),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`NginxAgentApi::write_config`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum WriteConfigSuccess {
    Status200(),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`NginxAgentApi::status`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum StatusError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`NginxAgentApi::validate`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`NginxAgentApi::validate_and_reload`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateAndReloadError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`NginxAgentApi::write_config`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum WriteConfigError {
    Status500(serde_json::Value),
    UnknownValue(serde_json::Value),
 }
--- a/public/agent-client/src/apis/tag_nginxtag_api.rs
+++ b/public/agent-client/src/apis/tag_nginxtag_api.rs
@@ -0,0 +1,280 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 * 
 * Generated by: https://openapi-generator.tech
 */
 use async_trait::async_trait;
 #[cfg(feature = "mockall")]
 use mockall::automock;
 use reqwest;
 use std::sync::Arc;
 use serde::{Deserialize, Serialize, de::Error as _};
 use crate::{apis::ResponseContent, models};
 use super::{Error, configuration};
 use crate::apis::ContentType;
 #[cfg_attr(feature = "mockall", automock)]
 #[async_trait]
 pub trait TagNginxtagApi: Send + Sync {
    /// GET /status
    ///
    /// 
    async fn status(&self, ) -> Result<ResponseContent<StatusSuccess>, Error<StatusError>>;
    /// POST /validate
    ///
    /// 
    async fn validate(&self,  params: ValidateParams ) -> Result<ResponseContent<ValidateSuccess>, Error<ValidateError>>;
    /// POST /validate_and_reload
    ///
    /// 
    async fn validate_and_reload(&self,  params: ValidateAndReloadParams ) -> Result<ResponseContent<ValidateAndReloadSuccess>, Error<ValidateAndReloadError>>;
    /// POST /write_config
    ///
    /// 
    async fn write_config(&self,  params: WriteConfigParams ) -> Result<ResponseContent<WriteConfigSuccess>, Error<WriteConfigError>>;
 }
 pub struct TagNginxtagApiClient {
    configuration: Arc<configuration::Configuration>
 }
 impl TagNginxtagApiClient {
    pub fn new(configuration: Arc<configuration::Configuration>) -> Self {
        Self { configuration }
    }
 }
 /// struct for passing parameters to the method [`TagNginxtagApi::validate`]
 #[derive(Clone, Debug)]
 pub struct ValidateParams {
    pub validate_body: models::ValidateBody
 }
 /// struct for passing parameters to the method [`TagNginxtagApi::validate_and_reload`]
 #[derive(Clone, Debug)]
 pub struct ValidateAndReloadParams {
    pub validate_and_reload_body: models::ValidateAndReloadBody
 }
 /// struct for passing parameters to the method [`TagNginxtagApi::write_config`]
 #[derive(Clone, Debug)]
 pub struct WriteConfigParams {
    pub write_config_body: models::WriteConfigBody
 }
 #[async_trait]
 impl TagNginxtagApi for TagNginxtagApiClient {
    async fn status(&self, ) -> Result<ResponseContent<StatusSuccess>, Error<StatusError>> {
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/status", local_var_configuration.base_path);
        let mut local_var_req_builder = local_var_client.request(reqwest::Method::GET, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder.header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<StatusSuccess> = serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<StatusError> = serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn validate(&self,  params: ValidateParams ) -> Result<ResponseContent<ValidateSuccess>, Error<ValidateError>> {
        let ValidateParams {
            validate_body,
        } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/validate", local_var_configuration.base_path);
        let mut local_var_req_builder = local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder.header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&validate_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<ValidateSuccess> = serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<ValidateError> = serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn validate_and_reload(&self,  params: ValidateAndReloadParams ) -> Result<ResponseContent<ValidateAndReloadSuccess>, Error<ValidateAndReloadError>> {
        let ValidateAndReloadParams {
            validate_and_reload_body,
        } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/validate_and_reload", local_var_configuration.base_path);
        let mut local_var_req_builder = local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder.header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&validate_and_reload_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<ValidateAndReloadSuccess> = serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<ValidateAndReloadError> = serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Err(Error::ResponseError(local_var_error))
        }
    }
    async fn write_config(&self,  params: WriteConfigParams ) -> Result<ResponseContent<WriteConfigSuccess>, Error<WriteConfigError>> {
        let WriteConfigParams {
            write_config_body,
        } = params;
        let local_var_configuration = &self.configuration;
        let local_var_client = &local_var_configuration.client;
        let local_var_uri_str = format!("{}/write_config", local_var_configuration.base_path);
        let mut local_var_req_builder = local_var_client.request(reqwest::Method::POST, local_var_uri_str.as_str());
        if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
            local_var_req_builder = local_var_req_builder.header(reqwest::header::USER_AGENT, local_var_user_agent.clone());
        }
        local_var_req_builder = local_var_req_builder.json(&write_config_body);
        let local_var_req = local_var_req_builder.build()?;
        let local_var_resp = local_var_client.execute(local_var_req).await?;
        let local_var_status = local_var_resp.status();
        let local_var_content = local_var_resp.text().await?;
        if !local_var_status.is_client_error() && !local_var_status.is_server_error() {
            let local_var_entity: Option<WriteConfigSuccess> = serde_json::from_str(&local_var_content).ok();
            let local_var_result = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Ok(local_var_result)
        } else {
            let local_var_entity: Option<WriteConfigError> = serde_json::from_str(&local_var_content).ok();
            let local_var_error = ResponseContent { status: local_var_status, content: local_var_content, entity: local_var_entity };
            Err(Error::ResponseError(local_var_error))
        }
    }
 }
 /// struct for typed successes of method [`TagNginxtagApi::status`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum StatusSuccess {
    Status200(models::StatusResp),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`TagNginxtagApi::validate`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateSuccess {
    Status200(serde_json::Value),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`TagNginxtagApi::validate_and_reload`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateAndReloadSuccess {
    Status200(models::ValidateAndReloadResp),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed successes of method [`TagNginxtagApi::write_config`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum WriteConfigSuccess {
    Status200(),
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`TagNginxtagApi::status`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum StatusError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`TagNginxtagApi::validate`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`TagNginxtagApi::validate_and_reload`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum ValidateAndReloadError {
    UnknownValue(serde_json::Value),
 }
 /// struct for typed errors of method [`TagNginxtagApi::write_config`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
 pub enum WriteConfigError {
    Status500(serde_json::Value),
    UnknownValue(serde_json::Value),
 }
--- a/public/agent-client/src/lib.rs
+++ b/public/agent-client/src/lib.rs
@@ -0,0 +1,10 @@
 #![allow(unused_imports)]
 #![allow(clippy::too_many_arguments)]
 extern crate serde;
 extern crate serde_json;
 extern crate serde_repr;
 extern crate url;
 pub mod apis;
 pub mod models;
--- a/public/agent-client/src/models/mod.rs
+++ b/public/agent-client/src/models/mod.rs
@@ -0,0 +1,10 @@
 pub mod status_resp;
 pub use self::status_resp::StatusResp;
 pub mod validate_and_reload_body;
 pub use self::validate_and_reload_body::ValidateAndReloadBody;
 pub mod validate_and_reload_resp;
 pub use self::validate_and_reload_resp::ValidateAndReloadResp;
 pub mod validate_body;
 pub use self::validate_body::ValidateBody;
 pub mod write_config_body;
 pub use self::write_config_body::WriteConfigBody;
--- a/public/agent-client/src/models/status_resp.rs
+++ b/public/agent-client/src/models/status_resp.rs
@@ -0,0 +1,24 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use crate::models;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
 pub struct StatusResp {
    #[serde(rename = "ok")]
    pub ok: bool,
 }
 impl StatusResp {
    pub fn new(ok: bool) -> StatusResp {
        StatusResp { ok }
    }
 }
--- a/public/agent-client/src/models/validate_and_reload_body.rs
+++ b/public/agent-client/src/models/validate_and_reload_body.rs
@@ -0,0 +1,29 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use crate::models;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
 pub struct ValidateAndReloadBody {
    #[serde(rename = "config_name")]
    pub config_name: String,
    #[serde(rename = "timestamp")]
    pub timestamp: i64,
 }
 impl ValidateAndReloadBody {
    pub fn new(config_name: String, timestamp: i64) -> ValidateAndReloadBody {
        ValidateAndReloadBody {
            config_name,
            timestamp,
        }
    }
 }
--- a/public/agent-client/src/models/validate_and_reload_resp.rs
+++ b/public/agent-client/src/models/validate_and_reload_resp.rs
@@ -0,0 +1,26 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use crate::models;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
 pub struct ValidateAndReloadResp {
    #[serde(rename = "rc")]
    pub rc: i32,
    #[serde(rename = "ro")]
    pub ro: String,
 }
 impl ValidateAndReloadResp {
    pub fn new(rc: i32, ro: String) -> ValidateAndReloadResp {
        ValidateAndReloadResp { rc, ro }
    }
 }
--- a/public/agent-client/src/models/validate_body.rs
+++ b/public/agent-client/src/models/validate_body.rs
@@ -0,0 +1,29 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use crate::models;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
 pub struct ValidateBody {
    #[serde(rename = "config_name")]
    pub config_name: String,
    #[serde(rename = "timestamp")]
    pub timestamp: i64,
 }
 impl ValidateBody {
    pub fn new(config_name: String, timestamp: i64) -> ValidateBody {
        ValidateBody {
            config_name,
            timestamp,
        }
    }
 }
--- a/public/agent-client/src/models/write_config_body.rs
+++ b/public/agent-client/src/models/write_config_body.rs
@@ -0,0 +1,32 @@
 /*
 * yanpm-agent
 *
 * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
 *
 * The version of the OpenAPI document: 0.1.0
 *
 * Generated by: https://openapi-generator.tech
 */
 use crate::models;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
 pub struct WriteConfigBody {
    #[serde(rename = "config_name")]
    pub config_name: String,
    #[serde(rename = "content")]
    pub content: String,
    #[serde(rename = "timestamp")]
    pub timestamp: i64,
 }
 impl WriteConfigBody {
    pub fn new(config_name: String, content: String, timestamp: i64) -> WriteConfigBody {
        WriteConfigBody {
            config_name,
            content,
            timestamp,
        }
    }
 }
Author	SHA1	Message	Date
GW_MC	6f5596dc69	Enforce deny unwrap_used All checks were successful Test / test-frontend (pull_request) Successful in 26s Details Test / lint-frontend (pull_request) Successful in 28s Details Test / frontend-build (pull_request) Successful in 32s Details Verify / verify-generated-database-code (pull_request) Successful in 1m7s Details Verify / verify-generated-agent-code (pull_request) Successful in 1m10s Details Verify / verify-openapi-spec (pull_request) Successful in 1m9s Details Verify / verify-frontend-api-client (pull_request) Successful in 7s Details Test / test-crates (pull_request) Successful in 54s Details Test / lint-crates (pull_request) Successful in 1m10s Details	2025-12-28 19:07:17 +08:00
GW_MC	96e7f36731	feat: integrate AgentService into app service and enhance configuration handling All checks were successful Test / test-frontend (pull_request) Successful in 25s Details Test / lint-frontend (pull_request) Successful in 28s Details Test / frontend-build (pull_request) Successful in 32s Details Verify / verify-generated-database-code (pull_request) Successful in 1m7s Details Verify / verify-generated-agent-code (pull_request) Successful in 1m11s Details Verify / verify-openapi-spec (pull_request) Successful in 1m13s Details Verify / verify-frontend-api-client (pull_request) Successful in 8s Details Test / test-crates (pull_request) Successful in 55s Details Test / lint-crates (pull_request) Successful in 1m9s Details	2025-12-28 18:35:53 +08:00
GW_MC	410328a2af	refactor app service	2025-12-28 18:28:28 +08:00
GW_MC	9f122566d0	feat: add agent settings configuration and update agent client service	2025-12-28 18:08:55 +08:00
GW_MC	c65dc3af47	feat: Basic agent-client service Some checks failed Test / test-frontend (pull_request) Successful in 27s Details Test / frontend-build (pull_request) Successful in 33s Details Verify / verify-openapi-spec (pull_request) Successful in 7s Details Verify / verify-generated-agent-code (pull_request) Successful in 1m7s Details Verify / verify-generated-database-code (pull_request) Successful in 2m14s Details Verify / verify-frontend-api-client (pull_request) Successful in 6s Details Test / lint-crates (pull_request) Failing after 1m28s Details Test / test-crates (pull_request) Successful in 2m40s Details Test / lint-frontend (pull_request) Successful in 29s Details	2025-12-28 17:53:27 +08:00
GW_MC	6f395ed1ae	rename workflows jobs	2025-12-28 16:42:12 +08:00
GW_MC	e6e85564e7	fix: incorrect pnpm cache All checks were successful Test / test-frontend (pull_request) Successful in 1m17s Details Test / lint-frontend (pull_request) Successful in 1m19s Details Test / frontend-build (pull_request) Successful in 1m55s Details Verify / verify-openapi-spec (pull_request) Successful in 31s Details Verify / verify-generated-agent-code (pull_request) Successful in 2m54s Details Verify / verify-generated-code (pull_request) Successful in 3m57s Details Verify / verify-frontend-api-client (pull_request) Successful in 8s Details Test / lint (pull_request) Successful in 1m25s Details Test / test (pull_request) Successful in 3m26s Details	2025-12-28 16:29:31 +08:00
GW_MC	c7a090f78a	fix: frontend deps not installed	2025-12-28 16:23:10 +08:00
GW_MC	8cc2775fe4	feat: auto format generated code, and ignore clippy lint in agent-client	2025-12-28 16:22:41 +08:00
GW_MC	0b64538754	added verify for untracked generated files	2025-12-28 15:56:04 +08:00
GW_MC	8009ca20ff	feat: added verify generated agent code in action workflows	2025-12-28 15:55:30 +08:00
GW_MC	7a5b9471e0	feat: added agent rust client generation	2025-12-28 15:16:47 +08:00
GW_MC	bb55e37b49	feat: added openapi generation for agent	2025-12-28 15:15:42 +08:00
GW_MC	9a264a61ac	Merge pull request 'feature/agent' (#11 ) from feature/agent into master All checks were successful Test / test-frontend (push) Successful in 20s Details Test / lint-frontend (push) Successful in 24s Details Verify / verify-openapi-spec (push) Successful in 4s Details Test / frontend-build (push) Successful in 29s Details Verify / verify-frontend-api-client (push) Successful in 5s Details Test / test (push) Successful in 53s Details Verify / verify-generated-code (push) Successful in 1m6s Details Test / lint (push) Successful in 1m10s Details Reviewed-on: #11	2025-12-22 18:29:26 +08:00
GW_MC	0eafd6a264	feat: upgrade actions/cache to v4 and clean up imports in main.rs All checks were successful Test / test-frontend (pull_request) Successful in 23s Details Test / lint-frontend (pull_request) Successful in 26s Details Verify / verify-openapi-spec (pull_request) Successful in 4s Details Test / frontend-build (pull_request) Successful in 29s Details Test / test (pull_request) Successful in 55s Details Verify / verify-generated-code (pull_request) Successful in 1m10s Details Verify / verify-frontend-api-client (pull_request) Successful in 7s Details Test / lint (pull_request) Successful in 1m10s Details	2025-12-22 18:26:19 +08:00
GW_MC	c14af00c08	feat: update dependencies and refactor command line argument handling for yanpm-agent Some checks failed Test / test-frontend (pull_request) Successful in 23s Details Test / lint-frontend (pull_request) Successful in 27s Details Verify / verify-openapi-spec (pull_request) Successful in 4s Details Test / frontend-build (pull_request) Successful in 30s Details Verify / verify-frontend-api-client (pull_request) Has been cancelled Details Verify / verify-generated-code (pull_request) Has been cancelled Details Test / test (pull_request) Has been cancelled Details Test / lint (pull_request) Has been cancelled Details	2025-12-22 18:16:26 +08:00
GW_MC	dce8203322	feat: add comprehensive documentation for yanpm-agent, including API reference, configuration, deployment, usage examples, and troubleshooting	2025-12-22 17:56:18 +08:00