Merge pull request 'feature/devcontainer' (#15 ) from feature/devcontainer into master

Reviewed-on: #15
feat: add VS Code extensions to devcontainer configuration
2026-01-15 22:19:34 +08:00 · 2026-01-15 14:06:10 +00:00 · 2026-01-15 13:56:48 +00:00 · 2026-01-12 11:56:37 +08:00 · 2026-01-12 11:49:46 +08:00 · 2026-01-12 11:49:29 +08:00
213 changed files with 28870 additions and 5451 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,80 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/rust
 {
  "name": "YANPM",
  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
  "image": "mcr.microsoft.com/devcontainers/rust:2-1-trixie",
  "features": {
    "ghcr.io/devcontainers/features/java:1": {
      "version": "latest",
      "jdkDistro": "open",
      "gradleVersion": "latest",
      "mavenVersion": "latest",
      "antVersion": "latest",
      "groovyVersion": "latest"
    },
    "ghcr.io/dhoeric/features/act:1": {},
    "ghcr.io/guiyomh/features/just:0": {
      "version": "latest"
    },
    "ghcr.io/devcontainers/features/node:1": {
      "nodeGypDependencies": true,
      "version": "22",
      "pnpmVersion": "latest",
      "nvmVersion": "latest"
    },
    "ghcr.io/devcontainers/features/docker-in-docker:2": {
      "moby": false,
      "azureDnsAutoDetection": true,
      "installDockerBuildx": true,
      "installDockerComposeSwitch": true,
      "disableIp6tables": true,
      "version": "latest",
      "dockerDashComposeVersion": "v2"
    }
  },
  // Use 'mounts' to make the cargo cache persistent in a Docker Volume.
  // "mounts": [
  // 	{
  // 		"source": "devcontainer-cargo-cache-${devcontainerId}",
  // 		"target": "/usr/local/cargo",
  // 		"type": "volume"
  // 	}
  // ]
  // Features to add to the dev container. More info: https://containers.dev/features.
  // "features": {},
  // Use 'forwardPorts' to make a list of ports inside the container available locally.
  // "forwardPorts": [],
  // Use 'postCreateCommand' to run commands after the container is created.
  "postCreateCommand": "bash .devcontainer/start.sh",
  // Configure tool-specific properties.
  "customizations": {
    "vscode": {
      "extensions": [
        "mikestead.dotenv",
        "usernamehw.errorlens",
        "streetsidesoftware.code-spell-checker",
        "mhutchie.git-graph",
        "yzhang.markdown-all-in-one",
        "christian-kohler.npm-intellisense",
        "42Crunch.vscode-openapi",
        "christian-kohler.path-intellisense",
        "esbenp.prettier-vscode",
        "rust-lang.rust-analyzer",
        "nefrob.vscode-just-syntax",
        "redhat.vscode-yaml",
        // optional
        "SirTori.indenticator",
        "oderwat.indent-rainbow"
      ]
    }
  }
  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
  // "remoteUser": "root"
 }
--- a/.devcontainer/start.sh
+++ b/.devcontainer/start.sh
@@ -0,0 +1,19 @@
 #!/bin/sh
 set -e
 echo "Starting devcontainer setup..."
 echo "Installing dependencies..."
 # install dependencies
 pnpm install --frozen-lockfile
 cargo install sea-orm-cli
 echo "building agent image..."
 # build agent image
 cd apps/agent
 just build-docker
 cd -
 echo "Agent image built."
 echo "Devcontainer setup complete."
--- a/.github/actions/setup-rust/action.yml
+++ b/.github/actions/setup-rust/action.yml
@@ -22,7 +22,7 @@ runs:
        fetch-depth: 0
    - name: Cache cargo registry
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.cargo/registry
        key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
@@ -30,7 +30,7 @@ runs:
          ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
    - name: Cache cargo index
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.cargo/index
        key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
@@ -51,7 +51,7 @@ runs:
          ${{ runner.os }}-rustup-
    - name: Cache cargo build (target)
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: target
        key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,11 +12,8 @@ on:
 jobs:
  # setup is now handled by a composite action used by downstream jobs to keep
  # the workflow DRY. The composite action performs checkout, cache restore and
  # toolchain setup.
-  test:
+  test-crates:
    needs: frontend-build
    runs-on: ubuntu-latest
    steps:
@@ -39,7 +36,7 @@ jobs:
      - name: Run tests
        run: cargo test --all-features
-  lint:
+  lint-crates:
    needs: frontend-build
    runs-on: ubuntu-latest
    steps:
@@ -67,6 +64,34 @@ jobs:
      - name: Check code formatting
        run: cargo fmt --all -- --check
  lint-frontend:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - uses: pnpm/action-setup@v4
        with:
          version: 10
          run_install: false
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
          cd apps/frontend
          pnpm install
      - name: Run frontend linter
        run: |
          cd apps/frontend
          pnpm lint
  test-frontend:
    runs-on: ubuntu-latest
    steps:
@@ -86,7 +111,7 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
@@ -114,12 +139,12 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install frontend dependencies
        run: |
          cd apps/frontend
-          pnpm install
+          pnpm install --frozen-lockfile
      - name: Build frontend
        run: |
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -11,18 +11,15 @@ on:
 jobs:
  # setup is now handled by a composite action used by downstream jobs to keep
  # the workflow DRY. The composite action performs checkout, cache restore and
  # toolchain setup.
-  verify-generated-code:
+  verify-generated-database-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-          
+
      - name: Setup Rust, checkout and restore caches
        uses: ./.github/actions/setup-rust
@@ -32,14 +29,62 @@ jobs:
          cargo run -- db:migrate_and_generate --output-path ../../public/database/src/generated/entities
      - name: Check for uncommitted changes in /generated/
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M .*\/generated\/') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep '/generated/') ]]; then
            echo "Generated code is not up to date. Please run the code generation locally and commit the changes."
-            git status --porcelain | grep '^ M .*\/generated\/'
+            git status --porcelain --untracked-files=all | grep '/generated/'
            exit 1
          else
            echo "Generated code is up to date."
          fi
  verify-generated-agent-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: '21'
      - name: Setup Rust, checkout and restore caches
        uses: ./.github/actions/setup-rust
      - name: Setup PNPM
        uses: pnpm/action-setup@v4
        with:
          version: 10
          run_install: false
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml
      - name: Install root dependencies
        run: |
          pnpm install --frozen-lockfile
      - name: generate agent client code
        run: |
          pnpm just generate-agent-client
      - name: Check for uncommitted changes in agent client code
        run: |
          if [[ -n $(git status --porcelain --untracked-files=all | grep 'public/agent-client/') ]]; then
            echo "Agent client code is not up to date. Please run the agent client code generation locally and commit the changes."
            git status --porcelain --untracked-files=all | grep 'public/agent-client/'
            exit 1
          else
            echo "Agent client code is up to date."
          fi
  verify-openapi-spec:
    runs-on: ubuntu-latest
    steps:
@@ -83,7 +128,7 @@ jobs:
      - name: Setup Rust, checkout and restore caches
        if: steps.check_changes.outputs.changed == 'true'
        uses: ./.github/actions/setup-rust
-      
+
      - name: Generate dummy frontend build (to satisfy dependencies)
        if: steps.check_changes.outputs.changed == 'true'
        run: |
@@ -95,13 +140,13 @@ jobs:
        run: |
          cd apps/api
          cargo run -- generate:openapi --output-path ./swagger.json
-      
+
      - name: Check for uncommitted changes in swagger.json
        if: steps.check_changes.outputs.changed == 'true'
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M apps/api/swagger.json') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep 'apps/api/swagger.json') ]]; then
            echo "OpenAPI spec is not up to date. Please run the OpenAPI generation locally and commit the changes."
-            git status --porcelain | grep '^ M apps/api/swagger.json'
+            git status --porcelain --untracked-files=all | grep 'apps/api/swagger.json'
            exit 1
          else
            echo "OpenAPI spec is up to date."
@@ -165,14 +210,14 @@ jobs:
        with:
          node-version: 22
          cache: 'pnpm'
-          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+          cache-dependency-path: pnpm-lock.yaml
-      
+
      - name: Install frontend dependencies
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
          cd apps/frontend
          pnpm install
-      
+
      - name: Generate frontend API client
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
@@ -182,14 +227,14 @@ jobs:
      - name: Check for uncommitted changes in frontend API client
        if: steps.check_swagger_changes.outputs.changed == 'true'
        run: |
-          if [[ -n $(git status --porcelain | grep '^ M apps/frontend/app/generated/api-client') ]]; then
+          if [[ -n $(git status --porcelain --untracked-files=all | grep 'apps/frontend/app/generated/api-client') ]]; then
            echo "Frontend API client is not up to date. Please run the API client generation locally and commit the changes."
-            git status --porcelain | grep '^ M apps/frontend/app/generated/api-client'
+            git status --porcelain --untracked-files=all | grep 'apps/frontend/app/generated/api-client'
            exit 1
          else
            echo "Frontend API client is up to date."
          fi
-      
+
      - name: Skip frontend API client generation (no relevant changes)
        if: steps.check_swagger_changes.outputs.changed == 'false'
        run: echo "No changes in apps/api/swagger.json nor apps/frontend/app/generated/api-client, skipping frontend API client generation verification."
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,6 @@ target
 .env.generated
 generated-config.yaml
 node_modules/
 .pnpm-store/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,3 +1,12 @@
 {
-  "cSpell.words": ["YANPM"]
+  "cSpell.words": ["chrono", "jsonwebtoken", "oneshot", "utoipa", "YANPM"],
  "sqltools.useNodeRuntime": true,
  "sqltools.connections": [
    {
      "previewLimit": 50,
      "driver": "SQLite",
      "database": "${workspaceFolder:yet-another-nginx-proxy-manager}/apps/container/generated/sqlite/sqlite.db",
      "name": "YANPM"
    }
  ]
 }
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,8 +1,10 @@
 [workspace]
-members = [ 
+members = [
    "apps/api",
    "apps/container",
    "apps/cli",
    "apps/agent",
    "public/agent-client",
    "public/shared",
    "public/database",
    "public/migration"
--- a/apps/agent/.gitignore
+++ b/apps/agent/.gitignore
@@ -0,0 +1 @@
 *.sock
--- a/apps/agent/Cargo.toml
+++ b/apps/agent/Cargo.toml
@@ -0,0 +1,16 @@
 [package]
 name = "yanpm-agent"
 version = "0.1.0"
 edition = "2024"
 [dependencies]
 axum = { version = "0.8.7", features = ["form", "http1", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
 tokio = { version = "1", features = ["fs", "io-util", "io-std", "macros", "net", "parking_lot", "process", "rt", "rt-multi-thread", "signal", "sync", "time", "tracing"] }
 tracing = { version = "0.1.41", features = ["std", "attributes"] }
 tracing-subscriber = { version = "0.3.20", features = ["smallvec", "fmt", "ansi", "tracing-log", "std", "json", "serde", "serde_json", "time", "tracing"] }
 serde_json = { version = "1.0.145", features = ["std"] }
 serde = { version = "1.0.228", features = ["std", "derive"] }
 tokio-cron-scheduler = { version = "0.15.1", features = ["signal"] }
 clap = { version = "4", features = ["derive", "env"] }
 nix = { version = "0.30.1", features = ["user", "fs"] }
 utoipa = { version = "5.4.0", features = ["macros", "axum_extras", "chrono", "decimal", "uuid", "time", "openapi_extensions"] }
--- a/apps/agent/Dockerfile
+++ b/apps/agent/Dockerfile
@@ -0,0 +1,56 @@
 FROM rust:1.92-alpine3.23 AS builder
 # Install build deps and binutils (for strip)
 RUN apk add --no-cache build-base musl-dev openssl-dev pkgconfig ca-certificates curl binutils
 WORKDIR /app
 # Copy manifest first to leverage Docker layer caching for dependencies
 COPY ./Cargo.toml ./
 RUN cargo fetch --locked || true
 COPY ./src ./src
 # Build the release binary and strip it to reduce size
 RUN cargo build --release --bin yanpm-agent && \
  strip target/release/yanpm-agent || true
 FROM nginx:mainline-alpine3.23 AS base
 # Expose typical HTTP ports used by nginx
 EXPOSE 80 443
 ENV S6_KEEP_ENV=1
 ENV YANPM_AGENT_SOCK=/var/run/yanpm/yanpm-agent.sock
 ENV YANPM_NGINX_CONFIG_DIR=/etc/nginx/conf.d
 ENV YANPM_AGENT_SOCK_PERM=660
 ENV YANPM_AGENT_SOCK_GID=""
 ENV YANPM_AGENT_UID=1000
 ENV YANPM_AGENT_GID=1000
 WORKDIR /app
 # Install ca-certificates for TLS and minimal tools
 RUN apk add --no-cache ca-certificates curl
 # Install s6-overlay
 ENV S6_OVERLAY_VERSION=v3.2.1.0
 ADD https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
 RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && rm /tmp/s6-overlay-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp/s6-overlay.tar.xz
 RUN tar -C / -Jxpf /tmp/s6-overlay.tar.xz && rm /tmp/s6-overlay.tar.xz
 # Runtime user creation handled by s6 cont-init (see /etc/cont-init.d)
 # create directory for yanpm agent socket; ownership will be fixed at container start
 RUN mkdir -p /var/run/yanpm
 # Copy s6 service definitions (created in repo under s6/) into image
 COPY ./docker/s6/services.d /etc/services.d
 COPY ./docker/s6/cont-init.d /etc/cont-init.d
 RUN chmod +x /etc/services.d/*/run && chmod +x /etc/cont-init.d/*
 COPY --from=builder /app/target/release/yanpm-agent ./yanpm-agent
 RUN chmod +x /app/yanpm-agent
 # s6-overlay provides /init as the init process
 ENTRYPOINT ["/init"]
--- a/apps/agent/doc/README.md
+++ b/apps/agent/doc/README.md
@@ -0,0 +1,19 @@
 # yanpm-agent Documentation
 This directory contains in-depth documentation for the yanpm agent daemon (the binary built from `apps/agent`). The agent exposes a unix-socket HTTP API for writing nginx configuration fragments, validating them, and reloading nginx safely.
 Docs included:
 - `architecture.md` — Detailed explanation of the program flow and components.
 - `configuration.md` — CLI flags, environment variables, defaults, and permission handling.
 - `usage.md` — How to run the agent, curl examples, and systemd/docker hints.
 - `api.md` — HTTP API endpoints, request and response schemas, examples.
 - `deployment.md` — Deployment considerations, permissions, and systemd socket/unit examples.
 - `troubleshooting.md` — Common errors and solutions.
 For implementation details, see the source in `apps/agent/src` (notably `main.rs`, `routes.rs`, and the `commands/` submodule).
 Integration notes
 - The agent is intended to run as a companion agent for the API service in `apps/api`. The API service calls the agent over the unix-domain socket to write nginx fragments, validate them, and trigger reloads.
 - A production Docker image is provided by `apps/agent/Dockerfile`. That Dockerfile packages nginx + the `yanpm-agent` binary and s6-overlay service scripts so a single container can run nginx and the agent alongside each other.
--- a/apps/agent/doc/api.md
+++ b/apps/agent/doc/api.md
@@ -0,0 +1,68 @@
 # HTTP API Reference
 Base: HTTP over a unix-domain socket. Example using curl: `curl --unix-socket /path/to/socket -X POST http://localhost/<path>`
 1) GET /status
   - Response: 200 OK
   - Body: JSON `{ "ok": true }`
 2) POST /validate
   - Request JSON:
   ```json
   {
     "config_name": "example",
     "timestamp": 1234567890
   }
   ```
   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
   - Success: 200 OK, body is `[rc, output]` tuple serialized as JSON (actual shape is `(i32, String)` returned from the command; examine responses for exact formatting).
   - Error cases:
     - 400 Bad Request: invalid or malformed JSON
     - 500 Internal Server Error: validation error or missing fragment file
   - Request JSON:
   ```json
   {
      "config_name": "example",
      "timestamp": 1234567890
   }
   ```
   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
   - Success: 200 OK, body is a JSON array `[rc, output]` where `rc` is the integer return code and `output` is the combined stdout/stderr string from the validation command (the command returns an `(i32, String)` tuple).
   - Error cases:
      - 400 Bad Request: invalid or malformed JSON
      - 500 Internal Server Error: validation error or missing fragment file
 3) POST /validate_and_reload
   - Request JSON same as `/validate`.
   - Behavior: runs validation and, on success, attempts to reload nginx. Returns an object with `rc` and `ro` (return code and combined stdout/stderr output).
   - Success: 200 OK with body: `{ "rc": <int>, "ro": "<output>" }`
   - Errors: 400 for malformed JSON, 500 if the validate-and-reload command fails (body presents error text).
 4) POST /write_config
   - Request JSON:
   ```json
   {
     "config_name": "example",
     "timestamp": 1234567890,
     "content": "server { ... }"
   }
   ```
   - Behavior: writes the provided `content` into an agent-managed fragment file named from `config_name` and `timestamp` in the internal subdirectory under `nginx_config_dir`.
   - Success: 200 OK with empty body
   - Error: 400 for malformed JSON, 500 if writing the file fails
 Notes
 - The agent expects callers to choose a `config_name` and `timestamp` that together form a unique filename. The concrete filename encoding is performed by `commands::run::to_file_name` in source.
 - On validation failures the returned output often contains the full `nginx -t` output; inspect `ro` or the returned JSON error messages.
--- a/apps/agent/doc/architecture.md
+++ b/apps/agent/doc/architecture.md
@@ -0,0 +1,34 @@
 # Architecture and Runtime Flow
 Overview
 - The agent is an async HTTP server (axum) listening on a Unix domain socket and exposes a small JSON API to manage nginx configuration fragments.
 - Core lifecycle is implemented in `apps/agent/src/main.rs`:
  - parse CLI args and environment variables
  - ensure the socket path and directory exist and have permissive but secure defaults
  - bind a `tokio::net::UnixListener` to the socket
  - create an `NginxService` (shared state) and an in-process cron `JobScheduler`
  - mount axum routes (`/status`, `/validate`, `/validate_and_reload`, `/write_config`) and serve HTTP over the Unix socket
 Key components
 - `main.rs` — Bootstrapping, argument handling, socket setup and permission handling, scheduler start, and axum server startup.
 - `routes.rs` — axum handlers for the HTTP API. It deserializes JSON payloads and delegates to `NginxService` methods. Handlers return appropriate HTTP status codes and JSON on error or success.
 - `commands/` — Implementation of lower-level actions (writing fragment files, running `nginx -t`, validating, reloads). The `validate.rs` command contains sophisticated behavior to handle permission-limited environments by:
  - creating wrapper nginx configs that include a single fragment
  - trying `nginx -t` directly, attempting a privileged wrapper via `sudo` if available, and finally passing a writable PID override via `-g pid ...;` to avoid permission failures
 Concurrency and state
 - A single shared `NginxService` instance is stored in axum `State` and cloned into handlers; it holds the scheduler and the configured nginx config directory path.
 - The JobScheduler is created with `tokio_cron_scheduler::JobScheduler` and started before serving requests.
 Error handling and best-effort behavior
 - Socket permission changes, GID changes, and directory creations are best-effort and log warnings on failure rather than failing hard.
 - Most command failures are converted into JSON errors with appropriate HTTP status codes so callers can inspect command output.
 Integration and packaging
 - The agent is intended to run as a companion to the API server in `apps/api`. The API calls the agent over the unix socket to write fragments, validate them, and trigger reloads.
 - `apps/agent/Dockerfile` builds a runtime image that includes `nginx` and the `yanpm-agent` binary (the Dockerfile uses s6-overlay to run multiple services). This image is suitable for deployments that prefer nginx and the agent colocated in a single container.
--- a/apps/agent/doc/configuration.md
+++ b/apps/agent/doc/configuration.md
@@ -0,0 +1,27 @@
 # Configuration and Environment
 CLI flags and environment variables
 - `--sock` / `YANPM_AGENT_SOCK` (default: `./yanpm-agent.sock`)
  - Path to the Unix socket file the agent will bind to.
  - If the socket directory does not exist the agent attempts to create it and set mode `0770`.
 - `--nginx-config-dir` / `YANPM_NGINX_CONFIG_DIR` (default: `/etc/nginx/conf.d`)
  - Directory where nginx fragments are written. The agent writes fragments into a subdirectory named by the agent (internal use).
 - `--sock-perm` / `YANPM_AGENT_SOCK_PERM` (default: `660`)
  - A 3-digit octal permission string applied to the socket file (best-effort). The program validates this is a 3-digit octal string.
  - If the final digit is greater than `0` a warning is logged because that allows "others" access.
 - `--sock-gid` / `YANPM_AGENT_SOCK_GID` (default: current user's primary group)
  - GID to set on the socket file (best-effort).
 Validation rules and behavior
 - `sock_perm` must be exactly 3 octal digits (characters 0-7). The agent rejects invalid values at startup.
 - When an existing path exists at the socket location the agent verifies it is a unix socket; if so it removes it before binding. If the path exists and is not a socket, startup fails.
 - Setting permissions (`set_permissions`) and changing GID (`chown`) are attempted but non-fatal: failures are logged as warnings and the agent continues.
 Notes about nginx config directory
 - The agent writes fragments into a subdirectory (internal) of the configured `nginx_config_dir`. Ensure nginx is configured to include that subdirectory so fragments are picked up, or use `write_config` then trigger a reload.
--- a/apps/agent/doc/deployment.md
+++ b/apps/agent/doc/deployment.md
@@ -0,0 +1,62 @@
 # Deployment and Permissions
 Socket location and permissions
 - The agent binds a unix socket at the path given by `--sock` or `YANPM_AGENT_SOCK`. The agent will:
  - create the parent directory (best-effort) and attempt to set its permissions to `0770`
  - remove an existing socket file if it is a socket, or fail if the path exists and is not a socket
  - apply the `sock_perm` (3-digit octal) to the socket file and optionally change its GID to `sock_gid`
 Systemd socket/unit example
 Create a `yanpm-agent.socket` unit that creates and owns the unix socket, and a `yanpm-agent.service` that runs the agent. Ensure the socket path used by systemd matches `--sock`.
 Docker / container notes
 - If running the agent inside a container and writing to host nginx config, bind-mount the host nginx config directory into the container at the path provided to `--nginx-config-dir`.
 - Consider running the agent as a user with permission to write the nginx config directory or use a shared group and `sock_gid` so clients can access the socket.
 - The repository provides a runtime image built by `apps/agent/Dockerfile` which packages `nginx` together with the `yanpm-agent` binary and s6-overlay service scripts. This image runs nginx and the agent in one container which is useful when the agent is acting as the runtime companion for the API (`apps/api`).
 Privilege escalation for validation
 - In many systems `nginx -t` may fail due to inability to access `/run/nginx.pid` or other privileged files. The agent attempts a best-effort sequence:
 1. Run `nginx -t` directly.
 2. If that fails with permission errors, try a privileged wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate` or `yanpm-nginx-validate-file`) via `sudo -n`.
 3. If wrapper is unavailable or fails, retry `nginx -t` with a writable PID override via `-g 'pid /tmp/yanpm-validate-<pid>.pid;'`.
 Security considerations
 - Avoid setting `sock_perm` to allow world access unless explicitly intended.
 - Prefer controlling socket group membership via `sock_gid` rather than making the socket world-writable.
 s6 init scripts, wrappers and sudoers (runtime)
 - Purpose: The image built by `apps/agent/Dockerfile` uses `s6-overlay` as PID 1 (the Dockerfile sets `ENTRYPOINT ["/init"]`). The repository includes `docker/s6/cont-init.d` scripts that run at container startup (one-shot) and `docker/s6/services.d` entries to run long-lived services (nginx and the agent). The cont-init scripts prepare runtime users, permissions, and helper wrappers the agent uses for privileged operations.
 - Key cont-init scripts (in the repo):
  - `docker/s6/cont-init.d/10-create-app-user` — ensures the `yanpm-agent` user and group exist (honoring `YANPM_AGENT_UID`, `YANPM_AGENT_GID`, and `YANPM_AGENT_SOCK_GID`), adds the user to the `nginx` group, and attempts to chown runtime directories like `/var/run/yanpm` and `/app/yanpm-agent` (logs warnings if chown fails for bind mounts or rootless containers).
  - `docker/s6/cont-init.d/20-install-reload-wrapper` — installs three helper wrappers and a sudoers entry so the `yanpm-agent` user can perform narrowly-scoped privileged operations without a password.
 - Wrapper scripts installed by `20-install-reload-wrapper`:
  - `/usr/local/sbin/yanpm-nginx-reload` — runs `nginx -c /etc/nginx/nginx.conf -s reload` (used for reloading the running nginx master process).
  - `/usr/local/sbin/yanpm-nginx-validate` — runs `nginx -c /etc/nginx/nginx.conf -t` (validates the main nginx config).
  - `/usr/local/sbin/yanpm-nginx-validate-file` — securely validates a single nginx config file: it resolves the absolute path, ensures the target is a regular file (not a symlink), checks the file is owned by the `yanpm-agent` user, enforces it's not world-writable, then runs `nginx -c <file> -t`. This defends against symlink and race attacks when an unprivileged agent requests privileged validation.
 - Sudoers entry:
  - The init script writes `/etc/sudoers.d/yanpm-agent` with a rule allowing the configured agent user (default `yanpm-agent`) to run only the three wrappers with `NOPASSWD`. This gives the agent a limited, auditable privilege escalation surface; the agent code attempts to use these wrappers via `sudo -n` before falling back to less privileged strategies.
 - Relevant environment variables (settable in the Dockerfile or at runtime):
  - `YANPM_AGENT_SOCK` — unix socket path (default set in Dockerfile: `/var/run/yanpm/yanpm-agent.sock`).
  - `YANPM_NGINX_CONFIG_DIR` — nginx config dir (default `/etc/nginx/conf.d`).
  - `YANPM_AGENT_SOCK_PERM` — socket permissions (octal string, default `660`).
  - `YANPM_AGENT_SOCK_GID` — desired GID for the socket (optional).
  - `YANPM_AGENT_UID`, `YANPM_AGENT_GID` — runtime UID/GID used to create the `yanpm-agent` user in the container.
 - How the agent uses these runtime helpers:
  - `ValidateCommand` and `ReloadCommand` in the agent code try `nginx` operations directly; when permission problems occur they attempt the privileged wrappers via `sudo -n /usr/local/sbin/yanpm-nginx-validate` or `...-validate-file` and `...-reload`. The cont-init script's wrappers plus the sudoers entry implement that intended secure upgrade path.
 - Notes and recommendations:
  - The `validate-file` wrapper performs ownership and permission checks; ensure written fragments are created by the `yanpm-agent` user (the agent writes files as that user when running inside the container due to `10-create-app-user`).
  - The cont-init scripts attempt to install `sudo` if missing; in minimal images you may prefer providing `sudo` at build time to avoid runtime installation attempts.
  - If you bind-mount host directories (e.g., `/etc/nginx/conf.d`) into the container, ensure ownership and permissions are compatible with the agent user and `YANPM_AGENT_SOCK_GID` so the socket and files are accessible as intended.
--- a/apps/agent/doc/troubleshooting.md
+++ b/apps/agent/doc/troubleshooting.md
@@ -0,0 +1,27 @@
 # Troubleshooting
 Common issues and how to resolve them
 - Socket path exists but is not a socket
  - Symptom: startup fails with an error that the socket path exists and is not a socket.
  - Fix: remove the file at the socket path or choose a different `--sock` path.
 - Permission denied on socket directory or socket
  - Symptom: socket creation or permission setting logs warnings; clients cannot connect.
  - Fix: ensure the socket directory exists and has correct ownership/group and that `sock_perm` and `sock_gid` are configured appropriately. Consider using `chown`/`chmod` from a privileged context.
 - `nginx -t` fails with `/run/nginx.pid: Permission denied`
  - Symptom: validation fails; output contains permission denied for `/run/nginx.pid`.
  - Fixes (tried by the agent):
    1. If available, provide a privileged validation wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate`) that runs `nginx -t` with appropriate privileges.
    2. Ensure the agent-runner has permission to read the main nginx configuration and `/run/nginx.pid` or allow the agent to use a writable PID override.
 - Fragment file not found during validation
  - Symptom: validate returns 500 with message `Config file not found`.
  - Fix: make sure the fragment has been written via `/write_config` to the agent's internal subdirectory under `NGINX_CONFIG_DIR`, using the same `config_name` and `timestamp` as the validate call.
 - Wrapper or sudo not available
  - Symptom: attempts to run `sudo -n /usr/local/sbin/yanpm-nginx-validate` fail.
  - Fix: install a wrapper script that allows unprivileged `sudo -n` validation or configure proper permissions on nginx state files.
 If none of the above solves the problem, collect the logs produced by the agent (it uses `tracing`/`tracing_subscriber`) and include the exact command outputs from the validation steps when asking for help.
--- a/apps/agent/doc/usage.md
+++ b/apps/agent/doc/usage.md
@@ -0,0 +1,61 @@
 # Usage and Examples
 Running locally (development)
 1. Build the agent (from repository root):
   ```sh
   cargo build -p agent
   ```
 2. Run the agent with defaults (socket in current directory):
   ```sh
   ./target/debug/yanpm-agent
   ```
 3. Run with explicit socket and nginx config directory:
   ```sh
   ./target/debug/yanpm-agent --sock /run/yanpm/yanpm-agent.sock --nginx-config-dir /etc/nginx/conf.d
   ```
 HTTP over unix-socket examples (using `socat` / `curl` helper)
 If you want to call the API from the shell, you can use `socat` to convert the unix socket to an HTTP stream, or use tools that support unix sockets directly (e.g. `curl --unix-socket`). Examples below use `curl --unix-socket`.
 Validate a fragment by name and timestamp:
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890}'
 ```
 Validate and reload (returns `rc` and `ro`):
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate_and_reload \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890}'
 ```
 Write a fragment (create or update):
 ```sh
 curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/write_config \
  -H 'Content-Type: application/json' \
  -d '{"config_name":"example","timestamp":1234567890,"content":"server { listen 80; server_name example.local; }"}'
 ```
 Status endpoint (health)
 ```sh
 curl --unix-socket ./yanpm-agent.sock http://localhost/status
 ```
 Notes
 - Use the `config_name` and `timestamp` fields consistently: `timestamp` is typically a monotonic update ID from the caller ensuring unique file names.
 - When running in containers, mount the host nginx config dir if you want the agent to write directly to host nginx configuration.
 - The repository includes a runtime Docker image built by `apps/agent/Dockerfile` which bundles `nginx` and the `yanpm-agent` binary (via s6-overlay). Use that image when you want nginx and the agent colocated (the agent is intended as a runtime companion to `apps/api`).
--- a/apps/agent/docker/s6/cont-init.d/10-create-app-user
+++ b/apps/agent/docker/s6/cont-init.d/10-create-app-user
@@ -0,0 +1,58 @@
 #!/bin/sh
 set -eu
 YANPM_AGENT_UID="${YANPM_AGENT_UID:-1000}"
 YANPM_AGENT_GID="${YANPM_AGENT_GID:-1000}"
 # If a specific socket GID is requested, prefer that for the app group
 YANPM_AGENT_GID_EFFECTIVE="${YANPM_AGENT_SOCK_GID:-${YANPM_AGENT_GID}}"
 YANPM_AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
 YANPM_AGENT_GROUP="${YANPM_AGENT_GROUP:-yanpm-agent}"
 # Ensure group exists with desired GID
 if grep -qE "^${YANPM_AGENT_GROUP}:" /etc/group 2>/dev/null; then
  existing_gid=$(awk -F: -v g="${YANPM_AGENT_GROUP}" '$1==g{print $3}' /etc/group)
  if [ "${existing_gid}" != "${YANPM_AGENT_GID_EFFECTIVE}" ]; then
    delgroup "${YANPM_AGENT_GROUP}" || true
    addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
  fi
 else
  addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
 fi
 # Ensure user exists with desired UID and primary group
 if grep -qE "^${YANPM_AGENT_USER}:" /etc/passwd 2>/dev/null; then
  existing_uid=$(awk -F: -v u="${YANPM_AGENT_USER}" '$1==u{print $3}' /etc/passwd)
  if [ "${existing_uid}" != "${YANPM_AGENT_UID}" ]; then
    deluser "${YANPM_AGENT_USER}" || true
    adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
  fi
 else
  adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
 fi
 # Add app user to nginx group to allow reading configs
 addgroup "${YANPM_AGENT_USER}" nginx || true
 # Ensure runtime directories exist and fix ownership
 mkdir -p /var/run/yanpm /app
 if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /var/run/yanpm 2>/dev/null; then
  echo "chown: /var/run/yanpm -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
 else
  echo "Warning: failed to chown /var/run/yanpm to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. This is common for bind-mounted host volumes or rootless Docker." >&2
 fi
 if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app/yanpm-agent 2>/dev/null; then
  echo "chown: /app/yanpm-agent -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
 else
  echo "Warning: failed to chown /app/yanpm-agent to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. Binary will still be used if permissions allow." >&2
 fi
 if chown "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app 2>/dev/null; then
  echo "chown: /app -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
 else
  echo "Warning: failed to chown /app to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}." >&2
 fi
 echo "App user and group setup complete. UID:${YANPM_AGENT_UID} GID:${YANPM_AGENT_GID_EFFECTIVE}"
 exit 0
--- a/apps/agent/docker/s6/cont-init.d/20-install-reload-wrapper
+++ b/apps/agent/docker/s6/cont-init.d/20-install-reload-wrapper
@@ -0,0 +1,170 @@
 #!/bin/sh
 set -eu
 # This init script installs a minimal nginx reload wrapper and a sudoers
 # entry so the `yanpm-agent` user can perform a controlled reload via sudo.
 WRAPPER_PATH="/usr/local/sbin/yanpm-nginx-reload"
 SUDOERS_PATH="/etc/sudoers.d/yanpm-agent"
 AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
 # validate wrapper
 VALIDATE_PATH="/usr/local/sbin/yanpm-nginx-validate"
 # validate file wrapper
 VALIDATE_FILE_PATH="/usr/local/sbin/yanpm-nginx-validate-file"
 echo "[cont-init.d] install-reload-wrapper: setting up nginx reload helper"
 # find nginx binary
 NGINX_BIN="$(command -v nginx || true)"
 if [ -z "${NGINX_BIN}" ]; then
  echo "Warning: nginx binary not found in PATH; wrapper will still be created but may fail at runtime." >&2
  NGINX_BIN="/usr/sbin/nginx"
 fi
 # Create wrapper
 mkdir -p /usr/local/sbin /etc/sudoers.d
 cat > "${WRAPPER_PATH}" <<- 'EOF'
 #!/bin/sh
 exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -s reload
 EOF
 # Replace placeholder with actual path
 sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${WRAPPER_PATH}" || true
 chmod 0750 "${WRAPPER_PATH}"
 chown root:root "${WRAPPER_PATH}" || true
 #
 #
 #
 # Create validate wrapper
 cat > "${VALIDATE_PATH}" <<- 'EOF'
 #!/bin/sh
 exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -t
 EOF
 # Replace placeholder with actual path in validate wrapper
 sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_PATH}" || true
 chmod 0750 "${VALIDATE_PATH}"
 chown root:root "${VALIDATE_PATH}" || true
 #
 #
 #
 # Create validate file wrapper (secure)
 cat > "${VALIDATE_FILE_PATH}" <<-'EOF'
 #!/bin/sh
 set -eu
 if [ $# -ne 1 ]; then
  echo "Usage: $0 <nginx-config-file>" >&2
  exit 2
 fi
 INPUT="$1"
 # Resolve absolute path
 if command -v readlink >/dev/null 2>&1; then
  TARGET="$(readlink -f -- "$INPUT" 2>/dev/null || true)"
 elif command -v realpath >/dev/null 2>&1; then
  TARGET="$(realpath -- "$INPUT" 2>/dev/null || true)"
 else
  echo "Error: no path resolver (readlink/realpath) available" >&2
  exit 3
 fi
 if [ -z "$TARGET" ]; then
  echo "Error: cannot resolve path: $INPUT" >&2
  exit 4
 fi
 # Must be a regular file and not a symlink
 if [ ! -f "$TARGET" ] || [ -L "$TARGET" ]; then
  echo "Error: ${TARGET} is not a regular file" >&2
  exit 5
 fi
 # must be created by agent user
 AGENT_UID="$(id -u yanpm-agent 2>/dev/null || true)"
 if [ -z "$AGENT_UID" ]; then
  echo "Error: yanpm-agent user not found" >&2
  exit 6
 fi
 FILE_UID="$(stat -c %u -- "$TARGET" 2>/dev/null || true)"
 if [ "$FILE_UID" != "$AGENT_UID" ]; then
  echo "Error: ${TARGET} not owned by yanpm-agent user" >&2
  exit 7
 fi
 # Ensure file is not world-writable; allow typical 664 (rw-rw-r--)
 if command -v stat >/dev/null 2>&1; then
  MODE="$(stat -c %a -- "$TARGET" 2>/dev/null || true)"
  if [ -n "$MODE" ]; then
    OTHERS=$(( MODE % 10 ))
    if [ $(( OTHERS & 2 )) -ne 0 ]; then
      echo "Error: ${TARGET} is world-writable" >&2
      exit 8
    fi
  fi
 elif command -v find >/dev/null 2>&1; then
  if find "$TARGET" -maxdepth 0 -perm /002 -print -quit >/dev/null 2>&1; then
    echo "Error: ${TARGET} is world-writable" >&2
    exit 8
  fi
 fi
 exec "@NGINX_BIN@" -c "$TARGET" -t
 EOF
 # Replace placeholder with actual path in validate file wrapper
 sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_FILE_PATH}" || true
 chmod 0750 "${VALIDATE_FILE_PATH}"
 chown root:root "${VALIDATE_FILE_PATH}" || true
 echo "Created wrapper: ${WRAPPER_PATH} (owned by root, mode 750)"
 #
 #
 #
 # Ensure sudoers entry exists allowing the agent to run only this wrapper as root
 if command -v sudo >/dev/null 2>&1; then
  echo "sudo present; creating sudoers entry"
  cat > "${SUDOERS_PATH}" <<- EOF
 # Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
 ${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
 EOF
  chmod 0440 "${SUDOERS_PATH}" || true
  echo "Wrote sudoers entry: ${SUDOERS_PATH}"
 else
  echo "sudo not found; attempting to install"
  if command -v apk >/dev/null 2>&1; then
    apk add --no-cache sudo || true
  elif command -v apt-get >/dev/null 2>&1; then
    apt-get update || true
    apt-get install -y sudo || true
  elif command -v yum >/dev/null 2>&1; then
    yum install -y sudo || true
  else
    echo "No known package manager to install sudo; please ensure sudo is available in the image." >&2
  fi
  if command -v sudo >/dev/null 2>&1; then
    cat > "${SUDOERS_PATH}" <<- EOF
 # Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
 ${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
 EOF
    chmod 0440 "${SUDOERS_PATH}" || true
    echo "Installed sudo and wrote sudoers entry: ${SUDOERS_PATH}"
  else
    echo "Failed to install sudo; the agent will not be able to reload nginx via sudo." >&2
  fi
 fi
 exit 0
--- a/apps/agent/docker/s6/services.d/agent/run
+++ b/apps/agent/docker/s6/services.d/agent/run
@@ -0,0 +1,5 @@
 #!/bin/sh
 # Run the agent as the unprivileged 'yanpm-agent' user
 cd /app
 echo "Starting yanpm-agent..."
 exec s6-setuidgid yanpm-agent ./yanpm-agent
--- a/apps/agent/docker/s6/services.d/nginx/run
+++ b/apps/agent/docker/s6/services.d/nginx/run
@@ -0,0 +1,3 @@
 #!/bin/sh
 # Run nginx in foreground (s6 will supervise it)
 exec nginx -g 'daemon off;'
--- a/apps/agent/justfile
+++ b/apps/agent/justfile
@@ -0,0 +1,2 @@
 build-docker:
  docker build -t yanpm/agent:latest .
--- a/apps/agent/src/commands.rs
+++ b/apps/agent/src/commands.rs
@@ -0,0 +1,292 @@
 mod reload;
 mod run;
 mod validate;
 mod write_config;
 use std::{
    collections::HashMap,
    sync::{
        Arc,
        atomic::{AtomicU64, Ordering},
    },
 };
 use tokio::sync::{Mutex, RwLock};
 use tokio_cron_scheduler::{Job, JobScheduler};
 use tracing::{error, info};
 use crate::commands::write_config::INTERNAL_CONFIG_FOLDER_NAME;
 const OLD_CONFIG_CLEANUP_THRESHOLD: u64 = 3600;
 pub struct NginxService {
    // lock for nginx reload, and timestamp tracking
    nginx_lock: Mutex<()>,
    last_applied: AtomicU64,
    // lock for write_config per (config_name, timestamp)
    #[allow(clippy::type_complexity)]
    write_config_lock: RwLock<HashMap<(String, u64), Arc<RwLock<()>>>>,
    // commands
    reload_cmd: Arc<reload::ReloadCommand>,
    validate_cmd: Arc<validate::ValidateCommand>,
    write_config_cmd: Arc<write_config::WriteConfigCommand>,
 }
 impl NginxService {
    pub async fn new(
        scheduler: Arc<JobScheduler>,
        nginx_config_dir: std::path::PathBuf,
    ) -> Result<Arc<Self>, Box<dyn std::error::Error + Send + Sync>> {
        let nginx_service = Arc::new(NginxService {
            nginx_lock: Mutex::new(()),
            last_applied: AtomicU64::new(0),
            write_config_lock: RwLock::new(HashMap::new()),
            // commands
            reload_cmd: Arc::new(reload::ReloadCommand::default()),
            validate_cmd: Arc::new(validate::ValidateCommand::new(nginx_config_dir.clone())),
            write_config_cmd: Arc::new(write_config::WriteConfigCommand::new(nginx_config_dir)),
        });
        let mut nginx_service_clone = nginx_service.clone();
        scheduler
            .clone()
            // cleanup every 10 minutes
            .add(Job::new_async("0 */10 * * * *", move |_uuid, _l| {
                info!("Running nginx_service cleanup job");
                let nginx_service_clone = nginx_service_clone.clone();
                let job = Box::pin(async move {
                    nginx_service_clone.cleanup_unused_lock().await;
                });
                info!("NginxService cleanup job completed");
                job
            })?)
            .await?;
        nginx_service_clone = nginx_service.clone();
        scheduler
            .clone()
            // cleanup every hour
            .add(Job::new_async("0 0 */1 * * *", move |_uuid, _l| {
                info!("Running nginx_service old config cleanup job");
                let nginx_service_clone = nginx_service_clone.clone();
                let job = Box::pin(async move {
                    nginx_service_clone.cleanup_old_configs().await;
                });
                info!("NginxService old config cleanup job completed");
                job
            })?)
            .await?;
        Ok(nginx_service)
    }
    pub async fn validate_and_reload(
        &self,
        config_name: &str,
        timestamp: u64,
    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
        let cur = self.last_applied.load(Ordering::SeqCst);
        if cur > timestamp {
            return Err("Another operation is in progress with higher timestamp value".into());
        }
        // acquire write lock to update nginx_lock
        let _nginx_guard = self.nginx_lock.lock().await;
        // acquire write lock for this config+timestamp
        let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
        let _guard = rw_lock.write().await;
        match self
            .reload_cmd
            .validate_and_reload(config_name, timestamp, self.validate_cmd.clone())
            .await
        {
            Ok((code, output)) => {
                // update last_applied
                self.last_applied.store(timestamp, Ordering::SeqCst);
                Ok((code, output))
            }
            Err(e) => Err(e),
        }
    }
    pub async fn write_config(
        &self,
        config_name: &str,
        timestamp: u64,
        content: &str,
    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
        let _guard = rw_lock.write().await;
        // call the write_config command
        self.write_config_cmd
            .write_config(config_name, timestamp, content)
            .await
    }
    pub async fn validate(
        &self,
        config_name: &str,
        timestamp: u64,
    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
        self.validate_cmd.validate(config_name, timestamp).await
    }
    async fn cleanup_unused_lock(&self) {
        let mut _write_lock = self.write_config_lock.write().await;
        (*_write_lock).retain(|_, lock| {
            // retain only locks that are currently held (readers or writers)
            lock.try_write().is_err()
        });
    }
    async fn cleanup_old_configs(&self) {
        // list all files within nginx_config_dir/YANPM that is older than now - OLD_CONFIG_CLEANUP_THRESHOLD
        let cutoff = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_secs()
            - OLD_CONFIG_CLEANUP_THRESHOLD;
        let nginx_config_dir = self.validate_cmd.nginx_config_dir();
        let yanpm_dir = nginx_config_dir.join(INTERNAL_CONFIG_FOLDER_NAME);
        let read_dir = match tokio::fs::read_dir(&yanpm_dir).await {
            Ok(rd) => rd,
            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
                // directory does not exist, nothing to clean up
                return;
            }
            Err(e) => {
                error!(
                    "Error reading {} config directory {}: {}",
                    INTERNAL_CONFIG_FOLDER_NAME,
                    yanpm_dir.display(),
                    e
                );
                return;
            }
        };
        tokio::pin!(read_dir);
        while let Some(entry) = read_dir.next_entry().await.unwrap_or(None) {
            let metadata = match entry.metadata().await {
                Ok(md) => md,
                Err(e) => {
                    error!(
                        "Error getting metadata for file {}: {}",
                        entry.path().display(),
                        e
                    );
                    continue;
                }
            };
            if let Ok(modified) = metadata.modified()
                && let Ok(duration) = modified.duration_since(std::time::UNIX_EPOCH)
            {
                let mtime_secs = duration.as_secs();
                if mtime_secs < cutoff {
                    // file is older than cutoff, remove it
                    if let Err(e) = tokio::fs::remove_file(entry.path()).await {
                        error!(
                            "Error removing old config file {}: {}",
                            entry.path().display(),
                            e
                        );
                    } else {
                        info!("Removed old config file {}", entry.path().display());
                    }
                }
            }
        }
    }
    async fn acquire_file_write_lock(&self, config_name: &str, timestamp: u64) -> Arc<RwLock<()>> {
        let mut write_lock = self.write_config_lock.write().await;
        write_lock
            .entry((config_name.to_string(), timestamp))
            .or_insert_with(|| Arc::new(RwLock::new(())))
            .clone()
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::error::Error;
    use std::sync::Arc as StdArc;
    use tokio::time::{Duration, sleep};
    impl NginxService {
        // Test helper that simulates a long-running reload without invoking external commands.
        pub async fn test_simulated_reload(
            &self,
            config_name: &str,
            timestamp: u64,
            delay_ms: u64,
        ) -> Result<(), Box<dyn Error + Send + Sync>> {
            // pre-check
            let cur = self.last_applied.load(Ordering::SeqCst);
            if cur >= timestamp {
                return Err("stale".into());
            }
            // acquire exclusive lock and re-check
            let _nginx_guard = self.nginx_lock.lock().await;
            let cur2 = self.last_applied.load(Ordering::SeqCst);
            if cur2 >= timestamp {
                return Err("stale".into());
            }
            // per-file lock
            let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
            let _guard = rw_lock.write().await;
            // simulate operation
            sleep(Duration::from_millis(delay_ms)).await;
            // on success update last_applied
            let mut prev = self.last_applied.load(Ordering::SeqCst);
            while prev < timestamp {
                match self.last_applied.compare_exchange(
                    prev,
                    timestamp,
                    Ordering::SeqCst,
                    Ordering::SeqCst,
                ) {
                    Ok(_) => break,
                    Err(next) => prev = next,
                }
            }
            Ok(())
        }
    }
    #[tokio::test]
    async fn concurrent_stale_is_rejected() {
        let scheduler = StdArc::new(JobScheduler::new().await.unwrap());
        let svc = NginxService::new(scheduler.clone(), std::env::temp_dir())
            .await
            .unwrap();
        let s1 = svc.clone();
        let h1 = tokio::spawn(async move { s1.test_simulated_reload("cfg", 2, 200).await });
        // let second start shortly after first so it will wait for the mutex
        sleep(Duration::from_millis(20)).await;
        let s2 = svc.clone();
        let h2 = tokio::spawn(async move { s2.test_simulated_reload("cfg", 1, 10).await });
        let r1 = h1.await.unwrap();
        assert!(r1.is_ok(), "first (newer) task should succeed");
        let r2 = h2.await.unwrap();
        assert!(
            r2.is_err(),
            "second (older) task should be rejected as stale"
        );
    }
 }
--- a/apps/agent/src/commands/reload.rs
+++ b/apps/agent/src/commands/reload.rs
@@ -0,0 +1,109 @@
 use std::path::Path;
 use std::sync::Arc;
 use std::time::{SystemTime, UNIX_EPOCH};
 use tokio::sync::Mutex;
 use tracing::error;
 use crate::commands::write_config::INTERNAL_CONFIG_FOLDER_NAME;
 use crate::commands::{run::run_cmd, validate::ValidateCommand};
 pub struct ReloadCommand {
    is_reloading: Mutex<bool>,
 }
 struct ReloadResetGuard<'a> {
    guard: tokio::sync::MutexGuard<'a, bool>,
 }
 impl<'a> Drop for ReloadResetGuard<'a> {
    fn drop(&mut self) {
        *self.guard = false;
    }
 }
 impl Default for ReloadCommand {
    fn default() -> Self {
        Self {
            is_reloading: Mutex::new(false),
        }
    }
 }
 impl ReloadCommand {
    pub async fn validate_and_reload(
        &self,
        config_name: &str,
        timestamp: u64,
        validate_cmd: Arc<ValidateCommand>,
    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
        // ensure the written fragment exists
        validate_cmd.validate(config_name, timestamp).await?;
        // Now atomically swap the YANPM.conf symlink to point to the new fragment
        // so nginx -t validates the composed main config. If validation fails,
        // attempt to restore the previous symlink.
        let filename = crate::commands::run::to_file_name(config_name, timestamp)?;
        let nginx_dir = validate_cmd.nginx_config_dir();
        let symlink_path = nginx_dir.join("YANPM.conf");
        let now = SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos();
        let tmp_name = format!("YANPM.conf.tmp.{}.{}", std::process::id(), now);
        let tmp_path = nginx_dir.join(&tmp_name);
        // prepare relative target: INTERNAL_CONFIG_FOLDER_NAME/<filename>
        let rel_target = Path::new(INTERNAL_CONFIG_FOLDER_NAME).join(&filename);
        // read previous target if exists
        let previous_target = std::fs::read_link(&symlink_path).ok();
        // Acquire reload guard before mutating the symlink to avoid races
        let reloading_lock = self.is_reloading.lock().await;
        if *reloading_lock {
            return Err("Reload already in progress".into());
        }
        // set flag to true and ensure it is reset on drop
        let mut mut_guard = reloading_lock;
        *mut_guard = true;
        let _reset_guard = ReloadResetGuard { guard: mut_guard };
        // create temporary symlink and atomically rename into place
        std::os::unix::fs::symlink(&rel_target, &tmp_path)?;
        tokio::fs::rename(&tmp_path, &symlink_path).await?;
        // validate composed main config now that symlink points to new fragment
        if let Err(e) = validate_cmd.validate_all().await {
            // restore previous symlink state while still holding the guard
            if let Some(prev) = previous_target {
                let restore_tmp =
                    nginx_dir.join(format!("YANPM.conf.restore.{}.{}", std::process::id(), now));
                std::os::unix::fs::symlink(&prev, &restore_tmp)?;
                if let Err(err) = tokio::fs::rename(&restore_tmp, &symlink_path).await {
                    error!(
                        "Failed to restore previous YANPM.conf symlink after validation error: {}",
                        err
                    );
                }
            } else if let Err(err) = tokio::fs::remove_file(&symlink_path).await {
                error!(
                    "Failed to remove YANPM.conf symlink after validation error: {}",
                    err
                );
            }
            return Err(e);
        }
        // reload the running nginx master process (no -c) so it reloads its configured main config
        // Prefer the restricted sudo wrapper if available, fall back to direct nginx reload.
        // TODO: allow configuring the path to the wrapper
        match run_cmd("sudo", &["-n", "/usr/local/sbin/yanpm-nginx-reload"], 10).await {
            Ok(res) => Ok(res),
            Err(e) => {
                error!(
                    "sudo reload wrapper failed, falling back to direct nginx reload: {}",
                    e
                );
                run_cmd("nginx", &["-s", "reload"], 10).await
            }
        }
    }
 }
--- a/apps/agent/src/commands/run.rs
+++ b/apps/agent/src/commands/run.rs
@@ -0,0 +1,85 @@
 use std::time::Duration;
 use tokio::{process::Command, time::timeout};
 use tracing::error;
 pub fn to_file_name(
    config_name: &str,
    timestamp: u64,
 ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    // reject empty or unsafe names to avoid path traversal or invalid filesystem chars
    if config_name.is_empty() {
        return Err("config_name is empty".into());
    }
    if config_name.len() > 255 {
        return Err("config_name too long".into());
    }
    if config_name.contains('/') || config_name.contains('\\') || config_name.contains("..") {
        return Err("config_name contains invalid path characters".into());
    }
    if !config_name
        .chars()
        .all(|c| c.is_ascii_alphanumeric() || "-._".contains(c))
    {
        return Err("config_name contains invalid characters".into());
    }
    Ok(format!("{}_{}.conf", timestamp, config_name))
 }
 pub async fn run_cmd(
    cmd: &str,
    args: &[&str],
    dur_s: u64,
 ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
    let mut c = Command::new(cmd);
    c.args(args);
    let res = timeout(Duration::from_secs(dur_s), c.output()).await;
    let out = match res {
        Ok(Ok(out)) => out,
        Ok(Err(e)) => return Err(Box::new(e)),
        Err(_) => {
            return Err(Box::new(std::io::Error::new(
                std::io::ErrorKind::TimedOut,
                "command timeout",
            )));
        }
    };
    let code = out.status.code().unwrap_or(-1);
    let output = String::from_utf8_lossy(&[out.stdout, out.stderr].concat()).to_string();
    if code != 0 {
        error!("command failed ({}): {}", code, output);
        return Err(format!("command failed ({}): {}", code, output).into());
    }
    Ok((code, output))
 }
 #[cfg(test)]
 mod tests {
    use super::to_file_name;
    #[test]
    fn to_file_name_valid() {
        let res = to_file_name("myconf", 1234).expect("should succeed");
        assert_eq!(res, "1234_myconf.conf");
    }
    #[test]
    fn to_file_name_empty() {
        assert!(to_file_name("", 1).is_err());
    }
    #[test]
    fn to_file_name_invalid_chars() {
        assert!(to_file_name("bad/name", 1).is_err());
        assert!(to_file_name("bad\\name", 1).is_err());
        assert!(to_file_name("bad..name", 1).is_err());
        assert!(to_file_name("bad$name", 1).is_err());
    }
    #[test]
    fn to_file_name_too_long() {
        let long = "a".repeat(300);
        assert!(to_file_name(&long, 1).is_err());
    }
 }
--- a/apps/agent/src/commands/validate.rs
+++ b/apps/agent/src/commands/validate.rs
@@ -0,0 +1,166 @@
 use tracing::{info, warn};
 use crate::commands::{run::run_cmd, write_config::INTERNAL_CONFIG_FOLDER_NAME};
 use std::path::PathBuf;
 pub struct ValidateCommand {
    nginx_config_dir: PathBuf,
 }
 impl ValidateCommand {
    pub fn new(nginx_config_dir: PathBuf) -> Self {
        Self { nginx_config_dir }
    }
    pub fn nginx_config_dir(&self) -> PathBuf {
        self.nginx_config_dir.clone()
    }
    pub async fn validate_all(
        &self,
    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
        // Try a normal config test first. If it fails due to pid permission
        // errors (common when running unprivileged against /run/nginx.pid),
        // retry with a writable pid override so validation can succeed.
        match run_cmd("nginx", &["-t"], 10).await {
            Ok(res) => Ok(res),
            Err(e) => {
                info!(
                    "nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
                    e
                );
                let es = e.to_string();
                if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
                    // Try privileged validate wrapper if available (allows the agent to run
                    // nginx -t via sudo without modifying the main config).
                    match run_cmd(
                        "sudo",
                        // TODO: allow configuring the path to the wrapper
                        &["-n", "/usr/local/sbin/yanpm-nginx-validate"],
                        10,
                    )
                    .await
                    {
                        Ok(res) => return Ok(res),
                        Err(e) => {
                            warn!(
                                "Privileged validate wrapper failed: {}. Falling back to writable pid override.",
                                e
                            );
                            // Fallback to the existing writable-pid override if sudo wrapper
                            // isn't available or fails.
                            let pid_path = format!(
                                "{}/yanpm-validate-{}.pid",
                                std::env::temp_dir().display(),
                                std::process::id()
                            );
                            let g_arg = format!("pid {};", pid_path);
                            let args_vec = ["-t".to_string(), "-g".to_string(), g_arg];
                            let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
                            return run_cmd("nginx", args_ref.as_slice(), 10).await;
                        }
                    }
                }
                Err(e)
            }
        }
    }
    pub async fn validate(
        &self,
        config_name: &str,
        timestamp: u64,
    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
        let filename = crate::commands::run::to_file_name(config_name, timestamp)?;
        // fragments are written into the YANPM subdirectory
        let full_path = self
            .nginx_config_dir
            .join(INTERNAL_CONFIG_FOLDER_NAME)
            .join(&filename);
        // ensure the fragment file exists
        if tokio::fs::metadata(&full_path).await.is_err() {
            return Err(format!("Config file not found: {}", full_path.display()).into());
        }
        // Create a temporary wrapper nginx config that provides the required
        // top-level sections (`events` and `http`) and includes the fragment.
        let fragment_path = full_path.to_str().ok_or("invalid config path")?.to_string();
        let mut tmp_path = std::env::temp_dir();
        let tmp_name = format!("yanpm-validate-{}-{}.conf", timestamp, std::process::id());
        tmp_path.push(tmp_name);
        let wrapper = format!(
            "worker_processes 1;\nevents {{ worker_connections 1024; }}\nhttp {{\n    include {};\n}}\n",
            fragment_path
        );
        // Write the temporary wrapper file
        tokio::fs::write(&tmp_path, wrapper).await?;
        let tmp_path_str = tmp_path
            .to_str()
            .ok_or("invalid temp config path")?
            .to_string();
        // Run the test against the wrapper, telling nginx to place its pid
        // somewhere writable so the config test doesn't fail with permission
        // errors when running as an unprivileged user.
        let result = match run_cmd("nginx", &["-t", "-c", &tmp_path_str], 10).await {
            Ok(res) => Ok(res),
            Err(e) => {
                info!(
                    "nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
                    e
                );
                let es = e.to_string();
                if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
                    // Try privileged validate wrapper if available (allows the agent to run
                    // nginx -t via sudo without modifying the main config).
                    match run_cmd(
                        "sudo",
                        // TODO: allow configuring the path to the wrapper
                        &[
                            "-n",
                            "/usr/local/sbin/yanpm-nginx-validate-file",
                            &tmp_path_str,
                        ],
                        10,
                    )
                    .await
                    {
                        Ok(res) => return Ok(res),
                        Err(e) => {
                            warn!(
                                "Privileged validate wrapper failed: {}. Falling back to writable pid override.",
                                e
                            );
                            let pid_path = format!(
                                "{}/yanpm-validate-{}.pid",
                                std::env::temp_dir().display(),
                                std::process::id()
                            );
                            let g_arg = format!("pid {};", pid_path);
                            let args_vec = [
                                "-t".to_string(),
                                "-c".to_string(),
                                tmp_path_str.clone(),
                                "-g".to_string(),
                                g_arg,
                            ];
                            let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
                            return run_cmd("nginx", args_ref.as_slice(), 10).await;
                        }
                    }
                }
                Err(e)
            }
        };
        let _ = tokio::fs::remove_file(&tmp_path).await;
        result
    }
 }
--- a/apps/agent/src/commands/write_config.rs
+++ b/apps/agent/src/commands/write_config.rs
@@ -0,0 +1,133 @@
 use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 use std::time::{SystemTime, UNIX_EPOCH};
 use tokio::io::AsyncWriteExt;
 use tracing::info;
 use crate::commands::run::to_file_name;
 pub const INTERNAL_CONFIG_FOLDER_NAME: &str = "YANPM";
 const FILE_SIZE_LIMIT: usize = 10 * 1024 * 1024; // 10MB
 pub struct WriteConfigCommand {
    nginx_config_dir: PathBuf,
 }
 impl WriteConfigCommand {
    pub fn new(nginx_config_dir: PathBuf) -> Self {
        Self { nginx_config_dir }
    }
    pub async fn write_config(
        &self,
        config_name: &str,
        timestamp: u64,
        content: &str,
    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let filename = to_file_name(config_name, timestamp)?;
        let path = self.nginx_config_dir.clone();
        // ensure main config dir exists
        tokio::fs::create_dir_all(&path).await?;
        info!("Writing config to {:?}", path.join(&filename));
        // create YANPM subdir where fragment files live
        let yanpm_dir = path.join(INTERNAL_CONFIG_FOLDER_NAME);
        tokio::fs::create_dir_all(&yanpm_dir).await?;
        let final_path = yanpm_dir.join(&filename);
        // limit size to 10MB
        if content.len() > FILE_SIZE_LIMIT {
            return Err(format!(
                "content exceeds {}MB size limit",
                FILE_SIZE_LIMIT / (1024 * 1024)
            )
            .into());
        }
        // create a temporary filename in the same directory for atomic replace
        let now = SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos();
        let tmp_filename = format!("{}.tmp.{}.{}", filename, std::process::id(), now);
        // create tmp file in the same directory as final file to ensure atomic rename
        let tmp_path = yanpm_dir.join(tmp_filename);
        let mut file = tokio::fs::OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(true)
            .open(&tmp_path)
            .await?;
        file.write_all(content.as_bytes()).await?;
        // ensure data is flushed to disk; propagate errors
        file.sync_all().await?;
        // atomically move the tmp file into the YANPM dir
        tokio::fs::rename(&tmp_path, &final_path).await?;
        // set explicit permissions (rw-r-----)
        tokio::fs::set_permissions(&final_path, std::fs::Permissions::from_mode(0o640)).await?;
        info!("Config written and permissions set for {:?}", final_path);
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::{INTERNAL_CONFIG_FOLDER_NAME, WriteConfigCommand};
    use std::time::SystemTime;
    use std::time::UNIX_EPOCH;
    #[tokio::test]
    async fn write_config_success_and_cleanup() {
        let base = std::env::temp_dir().join(format!(
            "yanpm_test_{}_{}",
            std::process::id(),
            SystemTime::now()
                .duration_since(UNIX_EPOCH)
                .unwrap()
                .as_nanos()
        ));
        // ensure clean
        let _ = tokio::fs::remove_dir_all(&base).await;
        let cmd = WriteConfigCommand::new(base.clone());
        let config_name = "unittest";
        let timestamp = 42u64;
        let content = "hello world";
        cmd.write_config(config_name, timestamp, content)
            .await
            .expect("write should succeed");
        let filename = super::to_file_name(config_name, timestamp).unwrap();
        let final_path = base.join(INTERNAL_CONFIG_FOLDER_NAME).join(&filename);
        let data = tokio::fs::read_to_string(&final_path)
            .await
            .expect("file should exist");
        assert_eq!(data, content);
        // cleanup
        tokio::fs::remove_dir_all(&base).await.expect("cleanup");
    }
    #[tokio::test]
    async fn write_config_size_limit() {
        let base = std::env::temp_dir().join(format!(
            "yanpm_test_{}_{}",
            std::process::id(),
            SystemTime::now()
                .duration_since(UNIX_EPOCH)
                .unwrap()
                .as_nanos()
        ));
        let _ = tokio::fs::remove_dir_all(&base).await;
        let cmd = WriteConfigCommand::new(base.clone());
        // exceed 10MB limit
        let large = vec![b'a'; 10 * 1024 * 1024 + 1];
        let large_str = String::from_utf8_lossy(&large).to_string();
        let res = cmd.write_config("big", 1, &large_str).await;
        assert!(res.is_err());
        let _ = tokio::fs::remove_dir_all(&base).await;
    }
 }
--- a/apps/agent/src/main.rs
+++ b/apps/agent/src/main.rs
@@ -0,0 +1,221 @@
 #![forbid(unsafe_code)]
 mod commands;
 mod openapi;
 mod routes;
 use axum::routing::get;
 use axum::{Router, routing::post};
 use clap::Parser;
 use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 use std::sync::Arc;
 use tokio::net::UnixListener;
 use tracing::{error, info, warn};
 use crate::commands::NginxService;
 use crate::openapi::{GenerateOpenapiArgs, generate_openapi_doc};
 use crate::routes::{status, validate, validate_and_reload, write_config};
 const SOCK_ENV: &str = "YANPM_AGENT_SOCK";
 const SOCK_PERM_ENV: &str = "YANPM_AGENT_SOCK_PERM";
 const NGINX_CONFIG_DIR_ENV: &str = "YANPM_NGINX_CONFIG_DIR";
 const SOCK_GID_ENV: &str = "YANPM_AGENT_SOCK_GID";
 const SOCK_DEFAULT: &str = "./yanpm-agent.sock";
 const NGINX_CONFIG_DIR_DEFAULT: &str = "/etc/nginx/conf.d";
 const SOCK_PERM_DEFAULT: &str = "660";
 const SOCK_GID_DEFAULT: &str = "";
 /// Command line arguments
 #[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None)]
 struct Args {
    /// Unix socket path to bind the agent daemon to
    #[arg(short = 's', long, default_value_t = String::from(SOCK_DEFAULT), env = SOCK_ENV)]
    sock: String,
    /// Directory where generated nginx config files will be written
    #[arg(short = 'd', long, default_value_t = String::from(NGINX_CONFIG_DIR_DEFAULT), env = NGINX_CONFIG_DIR_ENV)]
    nginx_config_dir: String,
    /// Permissions to set on the unix socket (in octal), e.g. 660
    #[arg(long, default_value_t = String::from(SOCK_PERM_DEFAULT), env = SOCK_PERM_ENV)]
    sock_perm: String,
    /// GID to set on the unix socket, default: current user's primary group
    #[arg(long, default_value_t = String::from(SOCK_GID_DEFAULT), env = SOCK_GID_ENV)]
    sock_gid: String,
    #[command(subcommand)]
    command: Option<SubCommand>,
 }
 #[derive(clap::Subcommand, Debug)]
 pub enum SubCommand {
    /// Generate OpenAPI spec to file or stdout
    GenerateOpenapi {
        /// Output file path.
        #[arg(short = 'o', long)]
        output: String,
    },
 }
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let subscriber = tracing_subscriber::fmt()
        .with_max_level(tracing::Level::INFO)
        .with_target(false)
        .with_level(true)
        .with_timer(tracing_subscriber::fmt::time::SystemTime)
        .finish();
    tracing::subscriber::set_global_default(subscriber)
        .expect("Failed to set global default subscriber");
    let args = Args::parse();
    if let Some(cmd) = &args.command {
        match cmd {
            SubCommand::GenerateOpenapi { output } => {
                generate_openapi_doc(&GenerateOpenapiArgs {
                    output: output.clone(),
                })
                .await?;
                return Ok(());
            }
        }
    }
    let (sock, nginx_config_dir, sock_perm, sock_gid) = get_args(&args).await?;
    let path = PathBuf::from(&sock);
    if let Some(dir) = path.parent() {
        tokio::fs::create_dir_all(dir).await.unwrap_or_else(|err| {
            error!(
                "Warning: failed to create socket directory {}: {}",
                dir.display(),
                err
            )
        });
        // permissive; set tighter perms in production via image/build steps
        tokio::fs::set_permissions(dir, std::fs::Permissions::from_mode(0o770))
            .await
            .unwrap_or_else(|err| {
                error!(
                    "Warning: failed to set permissions on socket directory {}: {}",
                    dir.display(),
                    err
                )
            });
    }
    // If an existing path exists at the socket location, ensure it's a socket
    match tokio::fs::metadata(&path).await {
        Ok(md) => {
            use std::os::unix::fs::FileTypeExt;
            if md.file_type().is_socket() {
                tokio::fs::remove_file(&path).await.unwrap_or_else(|err| {
                    error!(
                        "Warning: failed to remove existing socket file {}: {}",
                        path.display(),
                        err
                    )
                });
            } else {
                return Err(
                    format!("Socket path {} exists and is not a socket", path.display()).into(),
                );
            }
        }
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => {}
        Err(e) => {
            return Err(format!("Failed to stat socket path {}: {}", path.display(), e).into());
        }
    }
    // bind using tokio's UnixListener (avoids converting a blocking std listener)
    let listener = UnixListener::bind(&path).expect("Failed to bind to unix socket");
    // set socket perms to sock_perm (best-effort)
    if let Err(err) =
        tokio::fs::set_permissions(&path, std::fs::Permissions::from_mode(sock_perm)).await
    {
        error!(
            "Warning: failed to set permissions on socket {}: {}",
            path.display(),
            err
        );
    }
    // set socket gid to sock_gid (best-effort)
    if !sock_gid.is_empty() {
        use nix::unistd::{Gid, chown};
        if let Err(err) = chown(
            &path,
            None,
            Some(Gid::from_raw(
                sock_gid
                    .parse()
                    .map_err(|e| format!("Failed to parse socket GID {}: {}", sock_gid, e))
                    .unwrap_or_else(|_| nix::unistd::getgid().as_raw()),
            )),
        ) {
            error!(
                "Warning: failed to set GID on socket {}: {}",
                path.display(),
                err
            );
        }
    }
    let scheduler = Arc::new(tokio_cron_scheduler::JobScheduler::new().await?);
    let app = Router::new()
        .route("/status", get(status))
        .route("/validate_and_reload", post(validate_and_reload))
        .route("/validate", post(validate))
        .route("/write_config", post(write_config))
        .with_state(NginxService::new(scheduler.clone(), PathBuf::from(nginx_config_dir)).await?);
    scheduler.clone().start().await?;
    info!("Starting yanpm-daemon on unix socket: {}", sock);
    axum::serve::serve(listener, app)
        .await
        .expect("Failed to start axum server");
    info!("Shutting down yanpm-daemon");
    Ok(())
 }
 async fn get_args(
    args: &Args,
 ) -> Result<(String, String, u32, String), Box<dyn std::error::Error + Send + Sync>> {
    let sock = args.sock.clone();
    let nginx_config_dir = args.nginx_config_dir.clone();
    let sock_perm = args.sock_perm.clone();
    let sock_gid = args.sock_gid.clone();
    if sock_perm.len() != 3 || !sock_perm.chars().all(|c| ('0'..='7').contains(&c)) {
        return Err(std::io::Error::new(
            std::io::ErrorKind::InvalidInput,
            format!(
                "Invalid socket permission string: {}. Must be a 3-digit octal number.",
                sock_perm
            ),
        )
        .into());
    }
    if sock_perm.chars().last().unwrap() > '0' {
        warn!(
            "Socket permission string {} allows others to access the socket. This may be a security risk. Consider setting {} to a desired group and using a socket permission string that does not allow others to access the socket.",
            sock_perm, SOCK_GID_ENV
        );
    };
    Ok((
        sock,
        nginx_config_dir,
        u32::from_str_radix(&sock_perm, 8).expect("Failed to parse socket permission string"),
        sock_gid,
    ))
 }
--- a/apps/agent/src/openapi.rs
+++ b/apps/agent/src/openapi.rs
@@ -0,0 +1,45 @@
 use tracing::info;
 use utoipa::OpenApi;
 pub mod tag {
    /// nginx
    pub const NGINX_TAG: &str = "Nginx Agent";
 }
 #[derive(utoipa::OpenApi)]
 #[openapi(
  paths(
    crate::routes::status,
    crate::routes::validate,
    crate::routes::validate_and_reload,
    crate::routes::write_config,
  ),
  components(
      schemas(crate::routes::StatusResp),
      schemas(crate::routes::ValidateAndReloadResp),
      schemas(crate::routes::ValidateBody),
      schemas(crate::routes::WriteConfigBody),
      schemas(crate::routes::ValidateAndReloadBody),
  ),
  tags(
      (name = tag::NGINX_TAG, description = "Nginx Agent API"),
  )
 )]
 struct ApiDoc;
 pub struct GenerateOpenapiArgs {
    pub output: String,
 }
 pub async fn generate_openapi_doc(
    args: &GenerateOpenapiArgs,
 ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    info!("Generating OpenAPI documentation...");
    let doc = ApiDoc::openapi();
    let json = doc
        .to_pretty_json()
        .expect("Failed to serialize OpenAPI doc to JSON");
    std::fs::write(&args.output, json).expect("Failed to write OpenAPI doc to file");
    info!("OpenAPI documentation generated at {}", args.output);
    Ok(())
 }
--- a/apps/agent/src/routes.rs
+++ b/apps/agent/src/routes.rs
@@ -0,0 +1,167 @@
 use axum::Json;
 use axum::extract::State;
 use axum::http::StatusCode;
 use axum::response::IntoResponse;
 use serde::{Deserialize, Serialize};
 use serde_json::{Value, from_value};
 use std::sync::Arc;
 use tracing::warn;
 use crate::commands::NginxService;
 #[derive(Serialize, utoipa::ToSchema)]
 pub struct StatusResp {
    pub ok: bool,
 }
 /// Health check endpoint
 #[utoipa::path(
    get,
    path = "/status",
    responses(
        (status = 200, description = "Status response", body = StatusResp)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn status() -> impl IntoResponse {
    let resp = StatusResp { ok: true };
    (axum::http::StatusCode::OK, axum::Json(resp))
 }
 #[derive(Serialize, utoipa::ToSchema)]
 pub struct ValidateAndReloadResp {
    pub rc: i32,
    pub ro: String,
 }
 #[derive(Deserialize, utoipa::ToSchema)]
 pub struct ValidateBody {
    config_name: String,
    timestamp: u64,
 }
 #[utoipa::path(
    post,
    path = "/validate",
    request_body = ValidateBody,
    responses(
        (status = 200, description = "Validation response", body = serde_json::Value)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn validate(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
 ) -> impl IntoResponse {
    let params: ValidateBody = match from_value(payload) {
        Ok(req) => req,
        Err(e) => {
            warn!("Invalid validate request: {}", e);
            return (StatusCode::BAD_REQUEST).into_response();
        }
    };
    let resp = match nginx_controller
        .validate(&params.config_name, params.timestamp)
        .await
    {
        Ok(res) => res,
        Err(e) => {
            let resp = serde_json::json!({ "error": e.to_string() });
            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
        }
    };
    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
 }
 #[derive(Deserialize, utoipa::ToSchema)]
 pub struct ValidateAndReloadBody {
    config_name: String,
    timestamp: u64,
 }
 #[utoipa::path(
    post,
    path = "/validate_and_reload",
    request_body = ValidateAndReloadBody,
    responses(
        (status = 200, description = "Validate and reload response", body = ValidateAndReloadResp)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn validate_and_reload(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
 ) -> impl IntoResponse {
    let params: ValidateAndReloadBody = match from_value(payload) {
        Ok(req) => req,
        Err(e) => {
            warn!("Invalid validate_and_reload request: {}", e);
            return (StatusCode::BAD_REQUEST).into_response();
        }
    };
    let (code, output) = match nginx_controller
        .validate_and_reload(&params.config_name, params.timestamp)
        .await
    {
        Ok(res) => res,
        Err(e) => {
            let resp = ValidateAndReloadResp {
                rc: -1,
                ro: e.to_string(),
            };
            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
        }
    };
    let resp = ValidateAndReloadResp {
        rc: code,
        ro: output,
    };
    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
 }
 #[derive(Deserialize, utoipa::ToSchema)]
 pub struct WriteConfigBody {
    config_name: String,
    timestamp: u64,
    content: String,
 }
 #[utoipa::path(
    post,
    path = "/write_config",
    request_body = WriteConfigBody,
    responses(
        (status = 200, description = "Write config response"),
        (status = 500, description = "Internal server error", body = serde_json::Value)
    ),
    tag = crate::openapi::tag::NGINX_TAG
 )]
 pub async fn write_config(
    State(nginx_controller): State<Arc<NginxService>>,
    Json(payload): Json<Value>,
 ) -> impl IntoResponse {
    let body: WriteConfigBody = match from_value(payload) {
        Ok(req) => req,
        Err(e) => {
            warn!("Invalid write_config request: {}", e);
            return (StatusCode::BAD_REQUEST).into_response();
        }
    };
    match nginx_controller
        .write_config(&body.config_name, body.timestamp, &body.content)
        .await
    {
        Ok(_) => (),
        Err(e) => {
            let resp = serde_json::json!({ "error": e.to_string() });
            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
        }
    };
    (axum::http::StatusCode::OK,).into_response()
 }
--- a/apps/agent/swagger.json
+++ b/apps/agent/swagger.json
@@ -0,0 +1,215 @@
 {
  "openapi": "3.1.0",
  "info": {
    "title": "yanpm-agent",
    "description": "",
    "license": {
      "name": ""
    },
    "version": "0.1.0"
  },
  "paths": {
    "/status": {
      "get": {
        "tags": [
          "Nginx Agent"
        ],
        "summary": "Health check endpoint",
        "operationId": "status",
        "responses": {
          "200": {
            "description": "Status response",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/StatusResp"
                }
              }
            }
          }
        }
      }
    },
    "/validate": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "validate",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/ValidateBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Validation response",
            "content": {
              "application/json": {
                "schema": {}
              }
            }
          }
        }
      }
    },
    "/validate_and_reload": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "validate_and_reload",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/ValidateAndReloadBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Validate and reload response",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ValidateAndReloadResp"
                }
              }
            }
          }
        }
      }
    },
    "/write_config": {
      "post": {
        "tags": [
          "Nginx Agent"
        ],
        "operationId": "write_config",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/WriteConfigBody"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "Write config response"
          },
          "500": {
            "description": "Internal server error",
            "content": {
              "application/json": {
                "schema": {}
              }
            }
          }
        }
      }
    }
  },
  "components": {
    "schemas": {
      "StatusResp": {
        "type": "object",
        "required": [
          "ok"
        ],
        "properties": {
          "ok": {
            "type": "boolean"
          }
        }
      },
      "ValidateAndReloadBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      },
      "ValidateAndReloadResp": {
        "type": "object",
        "required": [
          "rc",
          "ro"
        ],
        "properties": {
          "rc": {
            "type": "integer",
            "format": "int32"
          },
          "ro": {
            "type": "string"
          }
        }
      },
      "ValidateBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      },
      "WriteConfigBody": {
        "type": "object",
        "required": [
          "config_name",
          "timestamp",
          "content"
        ],
        "properties": {
          "config_name": {
            "type": "string"
          },
          "content": {
            "type": "string"
          },
          "timestamp": {
            "type": "integer",
            "format": "int64",
            "minimum": 0
          }
        }
      }
    }
  },
  "tags": [
    {
      "name": "Nginx Agent",
      "description": "Nginx Agent API"
    }
  ]
 }
--- a/apps/api/Cargo.toml
+++ b/apps/api/Cargo.toml
@@ -6,8 +6,10 @@ edition = "2024"
 [dependencies]
 database = { path = "../../public/database" }
 migration = { path = "../../public/migration" }
 agent_client = { path = "../../public/agent-client" }
-axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"]}
+axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
 axum-extra = { version = "0.12.2", features = ["cookie"] }
 async-trait = { version = "0.1.89" }
 chrono = { version = "0.4.42", features = ["clock", "std", "oldtime", "wasmbind", "serde"] }
 config = { version = "0.15.19", features = ["toml", "json", "yaml", "ini", "ron", "json5", "convert-case", "async"] }
@@ -23,3 +25,18 @@ mime_guess = { version = "2.0.5" }
 utoipa = { version = "5.4.0", features = ["macros", "axum_extras", "chrono", "decimal", "uuid", "time", "openapi_extensions"] }
 clap = { version = "4.5.53" }
 once_cell = { version = "1.21.3" }
 argon2 = { version = "0.5.3", features = ["std"] }
 jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 uuid = { version = "1.19.0", features = ["v4", "serde", "fast-rng"] }
 tower-http = { version = "0.6.8", features = ["cors"] }
 reqwest = { version = "^0.12", features = ["json", "multipart", "stream"] }
 serde_urlencoded = { version = "0.7.1" }
 [dev-dependencies]
 tempfile = "3"
 axum-test = "18.4.1"
 agent_client = { path = "../../public/agent-client", features = ["mockall"] }
 mockall = { version = "0.14.0", features = [] }
 [lints.clippy]
 unwrap_used = "deny"
--- a/apps/api/src/cmd/generate_openapi.rs
+++ b/apps/api/src/cmd/generate_openapi.rs
@@ -28,7 +28,7 @@ fn action(
    _matches: &clap::ArgMatches,
 ) -> std::pin::Pin<Box<dyn std::future::Future<Output = ()> + Send>> {
    let output_path = _matches.get_one::<String>("output_path");
-    let output_path = output_path.unwrap().to_string();
+    let output_path = output_path.expect("output_path is required").to_string();
    Box::pin(async move {
        tracing::subscriber::with_default(log::make_temporary_subscriber(), || {
--- a/apps/api/src/cmd/start_server.rs
+++ b/apps/api/src/cmd/start_server.rs
@@ -11,8 +11,8 @@ use crate::{
    cmd::CliCommand,
    configs::{ProgramSettings, get_program_settings, logging::LoggingSettings},
    log,
-    routes::{self, AppService, AppState},
+    routes::{self, AppState},
-    services::settings::SettingsService,
+    services::get_app_service,
    tasks,
 };
@@ -58,6 +58,9 @@ pub async fn start_server() {
    tasks::startup::run_startup_tasks(&settings)
        .await
        .inspect_err(|err| {
            tracing::error!("Failed to run startup tasks: {}", err);
        })
        .expect("Failed to run startup tasks");
    // setup database connection pool
@@ -78,7 +81,23 @@ pub async fn start_server() {
    // build the axum app and run the server...
    info!("Starting application...");
-    let app: Router = routes::get_root_router(Arc::new(get_app_state(&db_connection)));
+    let mut app: Router = routes::get_root_router(
        Arc::new(get_app_state(&db_connection, &settings)),
        Arc::new(settings.server.cors.clone()),
    );
    if settings.server.serve_openapi {
        info!("Enabling OpenAPI documentation endpoint at /openapi.json");
        app = app.route(
            "/openapi.json",
            axum::routing::get(|| async {
                use utoipa::OpenApi;
                let doc = routes::ApiDoc::openapi();
                doc.to_pretty_json()
                    .expect("Failed to serialize OpenAPI doc to JSON")
            }),
        );
    }
    let address = format!("{}:{}", settings.server.address, settings.server.port);
    info!("Starting server at http://{}", address);
@@ -115,12 +134,14 @@ fn get_global_tracing_subscriber_builder(
    }
 }
-fn get_app_state(db_connection: &Arc<sea_orm::DatabaseConnection>) -> AppState {
+fn get_app_state(
    db_connection: &Arc<sea_orm::DatabaseConnection>,
    settings: &ProgramSettings,
 ) -> AppState {
    AppState {
        database_connection: db_connection.clone(),
-        service: Arc::new(AppService {
+        config: Arc::new(settings.clone()),
-            settings: Arc::new(SettingsService::new(db_connection.clone())),
+        service: Arc::new(get_app_service(db_connection, settings)),
        }),
    }
 }
--- a/apps/api/src/configs.rs
+++ b/apps/api/src/configs.rs
@@ -1,3 +1,5 @@
 pub mod agent;
 pub mod auth;
 pub mod database;
 pub mod logging;
 pub mod server;
@@ -10,6 +12,8 @@ use tracing::{debug, error};
 pub trait FromConfig: Sized {
    fn from_config(config: &Config) -> Result<Self, String>;
    fn validate(&self) -> Result<(), String>;
    #[cfg(test)]
    fn mock() -> Self;
 }
 #[derive(Debug, Clone)]
@@ -17,6 +21,8 @@ pub struct ProgramSettings {
    pub logging: logging::LoggingSettings,
    pub database: database::DatabaseSettings,
    pub server: server::ServerSettings,
    pub auth: auth::AuthSettings,
    pub agent: agent::AgentSettings,
 }
 impl FromConfig for ProgramSettings {
@@ -25,6 +31,8 @@ impl FromConfig for ProgramSettings {
            logging: logging::LoggingSettings::from_config(_config)?,
            database: database::DatabaseSettings::from_config(_config)?,
            server: server::ServerSettings::from_config(_config)?,
            auth: auth::AuthSettings::from_config(_config)?,
            agent: agent::AgentSettings::from_config(_config)?,
        };
        config.validate()?;
        Ok(config)
@@ -34,8 +42,20 @@ impl FromConfig for ProgramSettings {
        self.logging.validate()?;
        self.database.validate()?;
        self.server.validate()?;
        self.auth.validate()?;
        Ok(())
    }
    #[cfg(test)]
    fn mock() -> Self {
        ProgramSettings {
            logging: logging::LoggingSettings::mock(),
            database: database::DatabaseSettings::mock(),
            server: server::ServerSettings::mock(),
            auth: auth::AuthSettings::mock(),
            agent: agent::AgentSettings::mock(),
        }
    }
 }
 pub fn get_program_settings() -> ProgramSettings {
--- a/apps/api/src/configs/agent.rs
+++ b/apps/api/src/configs/agent.rs
@@ -0,0 +1,58 @@
 use config::Config;
 use tracing::error;
 use crate::configs::key::AGENT_SOCK_PATH_KEY;
 use super::FromConfig;
 #[derive(Debug, Clone)]
 pub struct AgentSettings {
    pub socket_path: String,
 }
 impl FromConfig for AgentSettings {
    fn from_config(_config: &Config) -> Result<Self, String> {
        Ok(AgentSettings {
            socket_path: _config.get_string(AGENT_SOCK_PATH_KEY).map_err(|err| {
                format!(
                    "Failed to get {} from configuration. Err: {}",
                    AGENT_SOCK_PATH_KEY, err
                )
            })?,
        })
    }
    fn validate(&self) -> Result<(), String> {
        // ensure socket_path exists and is readable and writable
        if !std::path::Path::new(&self.socket_path).exists() {
            let msg = format!("Agent socket path '{}' does not exist", self.socket_path);
            error!("{}", msg);
            return Err(msg);
        }
        if std::path::Path::new(&self.socket_path)
            .metadata()
            .map(|meta| {
                let permissions = meta.permissions();
                // Check read and write permissions for the owner
                !permissions.readonly()
            })
            .unwrap_or(false)
        {
            Ok(())
        } else {
            let msg = format!(
                "Agent socket path '{}' is not readable/writable",
                self.socket_path
            );
            error!("{}", msg);
            Err(msg)
        }
    }
    #[cfg(test)]
    fn mock() -> Self {
        AgentSettings {
            socket_path: "/tmp/agent.sock".to_string(),
        }
    }
 }
--- a/apps/api/src/configs/auth.rs
+++ b/apps/api/src/configs/auth.rs
@@ -0,0 +1,60 @@
 use config::{Config, ConfigError};
 use tracing::warn;
 use crate::configs::key::{
    AUTH_DEFAULT_ADMIN_PASSWORD_KEY, AUTH_DEFAULT_ADMIN_USERNAME_KEY, AUTH_JWT_SECRET_KEY,
 };
 use super::FromConfig;
 #[derive(Debug, Clone)]
 pub struct AuthSettings {
    pub jwt_secret: Option<String>,
    pub default_admin_username: Option<String>,
    pub default_admin_password: Option<String>,
 }
 impl FromConfig for AuthSettings {
    fn from_config(_config: &Config) -> Result<Self, String> {
        Ok(AuthSettings {
            jwt_secret: _config
                .get_string(AUTH_JWT_SECRET_KEY)
                .inspect_err(|err| {
                    match err {
                        ConfigError::NotFound(_) => {
                            warn!(
                                "{} not found in configuration, A random secret will be generated at runtime.",
                                AUTH_JWT_SECRET_KEY
                            );
                        }
                        _ => {
                            warn!(
                                "Failed to read {} from configuration, A random secret will be generated at runtime: {}",
                                AUTH_JWT_SECRET_KEY, err
                            );
                        }
                    };
                })
                .ok(),
            default_admin_username: _config
                .get_string(AUTH_DEFAULT_ADMIN_USERNAME_KEY)
                .ok(),
            default_admin_password: _config
                .get_string(AUTH_DEFAULT_ADMIN_PASSWORD_KEY)
                .ok(),
        })
    }
    fn validate(&self) -> Result<(), String> {
        Ok(())
    }
    #[cfg(test)]
    fn mock() -> Self {
        AuthSettings {
            jwt_secret: Some("mock_jwt_secret".to_string()),
            default_admin_username: Some("admin".to_string()),
            default_admin_password: Some("password".to_string()),
        }
    }
 }
--- a/apps/api/src/configs/database.rs
+++ b/apps/api/src/configs/database.rs
@@ -50,4 +50,13 @@ impl FromConfig for DatabaseSettings {
    fn validate(&self) -> Result<(), String> {
        Ok(())
    }
    #[cfg(test)]
    fn mock() -> Self {
        DatabaseSettings {
            url: "sqlite::memory:".to_string(),
            max_connections: 5,
            migrate_on_startup: true,
        }
    }
 }
--- a/apps/api/src/configs/key.rs
+++ b/apps/api/src/configs/key.rs
@@ -3,7 +3,16 @@ pub(crate) const LOGGING_UTC_KEY: &str = "LOGGING.UTC";
 //
 pub(crate) const SERVER_ADDRESS_KEY: &str = "SERVER.ADDRESS";
 pub(crate) const SERVER_PORT_KEY: &str = "SERVER.PORT";
 pub(crate) const SERVER_SERVE_OPENAPI_KEY: &str = "SERVER.SERVE_OPENAPI";
 pub(crate) const SERVER_CORS_ALLOWED_ORIGINS_KEY: &str = "SERVER.CORS.ALLOWED_ORIGINS";
 pub(crate) const SERVER_COOKIES_SECURE_KEY: &str = "SERVER.COOKIES.SECURE";
 //
 pub(crate) const DATABASE_URL_KEY: &str = "DATABASE.URL";
 pub(crate) const DATABASE_MAX_CONNECTIONS_KEY: &str = "DATABASE.MAX_CONNECTIONS";
 pub(crate) const DATABASE_MIGRATE_ON_STARTUP_KEY: &str = "DATABASE.MIGRATION.MIGRATE_ON_STARTUP";
 //
 pub(crate) const AUTH_JWT_SECRET_KEY: &str = "AUTH.JWT_SECRET";
 pub(crate) const AUTH_DEFAULT_ADMIN_USERNAME_KEY: &str = "AUTH.DEFAULT_ADMIN_USERNAME";
 pub(crate) const AUTH_DEFAULT_ADMIN_PASSWORD_KEY: &str = "AUTH.DEFAULT_ADMIN_PASSWORD";
 //
 pub(crate) const AGENT_SOCK_PATH_KEY: &str = "AGENT.SOCK.PATH";
--- a/apps/api/src/configs/logging.rs
+++ b/apps/api/src/configs/logging.rs
@@ -49,4 +49,12 @@ impl FromConfig for LoggingSettings {
    fn validate(&self) -> Result<(), String> {
        Ok(())
    }
    #[cfg(test)]
    fn mock() -> Self {
        LoggingSettings {
            level: Level::INFO,
            utc: false,
        }
    }
 }
--- a/apps/api/src/configs/server.rs
+++ b/apps/api/src/configs/server.rs
@@ -3,6 +3,10 @@ use std::net::IpAddr;
 use config::{Config, ConfigError};
 use tracing::warn;
 use crate::configs::key::{
    SERVER_COOKIES_SECURE_KEY, SERVER_CORS_ALLOWED_ORIGINS_KEY, SERVER_SERVE_OPENAPI_KEY,
 };
 use super::{
    FromConfig,
    key::{SERVER_ADDRESS_KEY, SERVER_PORT_KEY},
@@ -12,6 +16,19 @@ use super::{
 pub struct ServerSettings {
    pub address: IpAddr,
    pub port: u16,
    pub serve_openapi: bool,
    pub cors: CORSSettings,
    pub cookies: CookiesSettings,
 }
 #[derive(Debug, Clone)]
 pub struct CORSSettings {
    pub allowed_origins: Vec<String>,
 }
 #[derive(Debug, Clone)]
 pub struct CookiesSettings {
    pub secure: bool,
 }
 impl FromConfig for ServerSettings {
@@ -43,6 +60,53 @@ impl FromConfig for ServerSettings {
                );
                DEFAULT_PORT
            }) as u16,
            serve_openapi: _config
                .get_bool(SERVER_SERVE_OPENAPI_KEY)
                .unwrap_or_else(|err| {
                    const DEFAULT_SERVE_OPENAPI: bool = false;
                    warn!(
                        "{} not set or invalid in configuration, defaulting to {}. Error: {}",
                        SERVER_SERVE_OPENAPI_KEY, DEFAULT_SERVE_OPENAPI, err
                    );
                    DEFAULT_SERVE_OPENAPI
                }),
            cors: CORSSettings {
                allowed_origins: _config
                    .get_array(SERVER_CORS_ALLOWED_ORIGINS_KEY)
                    .unwrap_or_else(|_| vec![])
                    .into_iter()
                    .filter_map(|val| match val.into_string() {
                        Ok(s) => Some(s),
                        Err(e) => {
                            warn!(
                                "Invalid origin in {} configuration: {}",
                                SERVER_CORS_ALLOWED_ORIGINS_KEY, e
                            );
                            None
                        }
                    })
                    .collect(),
            },
            cookies: CookiesSettings {
                secure: _config
                    .get_bool(SERVER_COOKIES_SECURE_KEY)
                    .inspect(|is_secure| {
                        if !*is_secure {
                            warn!("Cookie 'secure' flag is disabled; this is not recommended in production environments.");
                        }
                    })
                    .unwrap_or_else(|err| {
                        const DEFAULT_COOKIES_SECURE: bool = true;
                        warn!(
                            "{} not set or invalid in configuration, defaulting to {}. Error: {}",
                            SERVER_COOKIES_SECURE_KEY, DEFAULT_COOKIES_SECURE, err
                        );
                        DEFAULT_COOKIES_SECURE
                    }),
            },
        })
    }
@@ -53,4 +117,17 @@ impl FromConfig for ServerSettings {
        }
        Ok(())
    }
    #[cfg(test)]
    fn mock() -> Self {
        ServerSettings {
            address: "0.0.0.0".parse().expect("Failed to parse mock IP address"),
            port: 8080,
            serve_openapi: false,
            cors: CORSSettings {
                allowed_origins: vec![],
            },
            cookies: CookiesSettings { secure: true },
        }
    }
 }
--- a/apps/api/src/errors.rs
+++ b/apps/api/src/errors.rs
@@ -1 +1,2 @@
 pub mod api_error;
 pub mod service_error;
--- a/apps/api/src/errors/api_error.rs
+++ b/apps/api/src/errors/api_error.rs
@@ -0,0 +1,32 @@
 use axum::response::IntoResponse;
 use sea_orm::DbErr;
 use tracing::error;
 use crate::errors::service_error::ServiceError;
 #[derive(Debug)]
 pub enum ApiError {
    ServiceError(ServiceError),
 }
 impl From<ServiceError> for ApiError {
    fn from(err: ServiceError) -> Self {
        error!("Service error occurred: {:?}", err);
        ApiError::ServiceError(err)
    }
 }
 impl From<DbErr> for ApiError {
    fn from(err: DbErr) -> Self {
        ServiceError::from(err).into()
    }
 }
 impl IntoResponse for ApiError {
    fn into_response(self) -> axum::response::Response {
        error!("API error occurred: {:?}", self);
        match self {
            ApiError::ServiceError(service_error) => service_error.into_response(),
        }
    }
 }
--- a/apps/api/src/errors/service_error.rs
+++ b/apps/api/src/errors/service_error.rs
@@ -1,10 +1,13 @@
 use axum::response::IntoResponse;
 use sea_orm::DbErr;
 #[derive(Debug)]
 pub enum ServiceError {
    NotFound(String),
    DatabaseError(String),
    Unauthorized(String),
    InternalError(String),
    BadRequest(String),
 }
 impl From<Box<dyn std::error::Error + Send + Sync + 'static>> for ServiceError {
@@ -13,6 +16,20 @@ impl From<Box<dyn std::error::Error + Send + Sync + 'static>> for ServiceError {
    }
 }
 impl std::fmt::Display for ServiceError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            ServiceError::NotFound(msg) => write!(f, "Not Found: {}", msg),
            ServiceError::DatabaseError(msg) => write!(f, "Database Error: {}", msg),
            ServiceError::Unauthorized(msg) => write!(f, "Unauthorized: {}", msg),
            ServiceError::InternalError(msg) => write!(f, "Internal Error: {}", msg),
            ServiceError::BadRequest(msg) => write!(f, "Bad Request: {}", msg),
        }
    }
 }
 impl std::error::Error for ServiceError {}
 impl From<DbErr> for ServiceError {
    fn from(err: DbErr) -> Self {
        match err {
@@ -21,3 +38,23 @@ impl From<DbErr> for ServiceError {
        }
    }
 }
 impl IntoResponse for ServiceError {
    fn into_response(self) -> axum::response::Response {
        let (status, message) = match &self {
            ServiceError::NotFound(msg) => (axum::http::StatusCode::NOT_FOUND, msg.clone()),
            ServiceError::DatabaseError(msg) => {
                (axum::http::StatusCode::INTERNAL_SERVER_ERROR, msg.clone())
            }
            ServiceError::Unauthorized(msg) => (axum::http::StatusCode::UNAUTHORIZED, msg.clone()),
            ServiceError::InternalError(msg) => {
                (axum::http::StatusCode::INTERNAL_SERVER_ERROR, msg.clone())
            }
            ServiceError::BadRequest(msg) => (axum::http::StatusCode::BAD_REQUEST, msg.clone()),
        };
        let body = axum::Json(serde_json::json!({
            "error": message,
        }));
        (status, body).into_response()
    }
 }
--- a/apps/api/src/helpers.rs
+++ b/apps/api/src/helpers.rs
@@ -0,0 +1,3 @@
 pub mod constants;
 pub mod database;
 pub mod macros;
--- a/apps/api/src/helpers/constants.rs
+++ b/apps/api/src/helpers/constants.rs
@@ -0,0 +1,3 @@
 pub const ADMIN_INIT_SECRET_KEY: &str = "admin_init_secret";
 //
 pub const JWT_COOKIE_NAME: &str = "session_jwt";
--- a/apps/api/src/helpers/database.rs
+++ b/apps/api/src/helpers/database.rs
@@ -0,0 +1,26 @@
 #[macro_export]
 macro_rules! with_conn {
    // Usage: with_conn!(&connection, tx_option, ident, |conn|-> { ... })
    ($conn:expr, $tx:expr, $ident:ident, $body:block) => {{
        if let Some(t) = &$tx {
            let $ident = t;
            $body
        } else {
            let $ident = &$conn;
            $body
        }
    }};
 }
 pub struct PaginationFilter {
    pub page: u64,
    pub per_page: u64,
 }
 impl PaginationFilter {
    pub fn get_offset_limit(&self) -> (u64, u64) {
        let offset = (self.page - 1) * self.per_page;
        let limit = self.per_page;
        (offset, limit)
    }
 }
--- a/apps/api/src/helpers/macros.rs
+++ b/apps/api/src/helpers/macros.rs
@@ -0,0 +1,9 @@
 #[macro_export]
 macro_rules! set_if_some {
    ($field:expr) => {
        match $field {
            Some(value) => sea_orm::ActiveValue::Set(value),
            None => sea_orm::ActiveValue::NotSet,
        }
    };
 }
--- a/apps/api/src/main.rs
+++ b/apps/api/src/main.rs
@@ -1,6 +1,9 @@
 #![forbid(unsafe_code)]
 mod cmd;
 mod configs;
 mod errors;
 mod helpers;
 mod log;
 mod middlewares;
 mod routes;
--- a/apps/api/src/middlewares.rs
+++ b/apps/api/src/middlewares.rs
@@ -1,25 +1,61 @@
 pub mod request_info;
 pub mod require_auth;
 use std::{sync::Arc, time::Duration};
 use axum::{
    BoxError, Router,
    error_handling::HandleErrorLayer,
-    http::{Method, StatusCode, Uri},
+    http::{HeaderValue, Method, StatusCode, Uri},
 };
 use std::time::Duration;
 use tower::{ServiceBuilder, timeout::TimeoutLayer};
-
+use tower_http::cors::{AllowHeaders, AllowMethods, AllowOrigin, CorsLayer};
 use tracing::warn;
 use crate::{configs::server::CORSSettings, routes::AppState};
 pub const TIMEOUT_DURATION_SECS: u64 = 30;
-pub fn apply_root_middleware(router: Router) -> Router {
+pub fn apply_root_middleware(
    router: Router,
    _state: Arc<AppState>,
    cors_settings: Arc<CORSSettings>,
 ) -> Router {
    let timeout_layer = TimeoutLayer::new(Duration::from_secs(TIMEOUT_DURATION_SECS));
    let service_builder = ServiceBuilder::new()
        .layer(HandleErrorLayer::new(handle_timeout_error))
-        .layer(timeout_layer);
+        .layer(timeout_layer)
        .layer(get_cors_layer(cors_settings));
    router.layer(service_builder)
 }
 pub fn get_cors_layer(cors_settings: Arc<CORSSettings>) -> CorsLayer {
    let mut cors_layer = CorsLayer::new()
        .allow_credentials(true)
        .allow_methods(AllowMethods::mirror_request())
        .allow_headers(AllowHeaders::mirror_request());
    let allowed_origins = &cors_settings.allowed_origins;
    if allowed_origins.contains(&"*".to_string()) {
        cors_layer = cors_layer.allow_origin(AllowOrigin::mirror_request());
        warn!(
            "Wildcard origin is found in allowed origins. CORS is configured to allow requests from any origin. Only use this setting in development or if you understand the security implications."
        );
    } else {
        for origin in allowed_origins {
            if let Ok(header_value) = HeaderValue::from_str(origin) {
                cors_layer = cors_layer.allow_origin(AllowOrigin::exact(header_value));
            } else {
                warn!("Invalid CORS origin: {}", origin);
            }
        }
    }
    cors_layer
 }
 pub async fn handle_timeout_error(
    method: Method,
    uri: Uri,
--- a/apps/api/src/middlewares/request_info.rs
+++ b/apps/api/src/middlewares/request_info.rs
@@ -0,0 +1,34 @@
 use axum::{extract::FromRequestParts, http::StatusCode};
 use uuid::Uuid;
 #[derive(Clone, Debug)]
 pub struct RequestInfo {
    pub user_id: Option<Uuid>,
 }
 pub struct AuthenticatedRequestInfo {
    pub user_id: Uuid,
 }
 impl<S> FromRequestParts<S> for AuthenticatedRequestInfo
 where
    S: Send + Sync,
 {
    type Rejection = StatusCode;
    async fn from_request_parts(
        parts: &mut axum::http::request::Parts,
        _state: &S,
    ) -> Result<Self, Self::Rejection> {
        let request_info = parts
            .extensions
            .get::<RequestInfo>()
            .ok_or(StatusCode::UNAUTHORIZED)?;
        if let Some(user_id) = request_info.user_id {
            Ok(AuthenticatedRequestInfo { user_id })
        } else {
            Err(StatusCode::UNAUTHORIZED)
        }
    }
 }
--- a/apps/api/src/middlewares/require_auth.rs
+++ b/apps/api/src/middlewares/require_auth.rs
@@ -0,0 +1,109 @@
 use std::sync::Arc;
 use axum::{
    extract::State,
    http::{Request, StatusCode},
    middleware::Next,
    response::Response,
 };
 use axum_extra::extract::cookie::CookieJar;
 use tracing::debug;
 use uuid::Uuid;
 use crate::{
    errors::service_error::ServiceError, helpers::constants::JWT_COOKIE_NAME,
    middlewares::request_info::RequestInfo, routes::AppState,
 };
 pub async fn require_auth(
    cookies: CookieJar,
    State(state): State<Arc<AppState>>,
    req: Request<axum::body::Body>,
    next: Next,
 ) -> Result<Response, StatusCode> {
    // get jwt from cookies
    let auth_service = &state.service.auth_state.authentication;
    let token = if let Some(cookie) = cookies.get(JWT_COOKIE_NAME) {
        cookie.value().to_string()
    } else {
        debug!("No JWT cookie found. cookies: {:?}", cookies);
        return handle_unauthenticated().await;
    };
    // validate jwt
    let is_valid = auth_service.is_valid_jwt(&token, None).await;
    let user_id = match is_valid {
        Ok(Some(claims)) => claims
            .sub
            .parse::<Uuid>()
            .map_err(|_| StatusCode::UNAUTHORIZED)?,
        Ok(None) => return handle_unauthenticated().await,
        Err(err) => {
            tracing::error!("Error validating JWT: {}", err);
            return Err(StatusCode::INTERNAL_SERVER_ERROR);
        }
    };
    // ensure user exists
    if let Err(err) = state.service.user.get_user_by_id(user_id, None).await {
        match err {
            ServiceError::NotFound(_) => return handle_unauthenticated().await,
            _ => {
                tracing::error!("Error fetching user by ID: {}", err);
                return Err(StatusCode::INTERNAL_SERVER_ERROR);
            }
        }
    }
    let mut req = req;
    let user = req
        .extensions_mut()
        .get_or_insert_with(|| RequestInfo { user_id: None });
    user.user_id = Some(user_id);
    Ok(next.run(req).await)
 }
 async fn handle_unauthenticated() -> Result<Response, StatusCode> {
    // TODO: log unauthenticated access attempts
    Err(StatusCode::UNAUTHORIZED)
 }
 #[cfg(test)]
 pub mod mock {
    use super::*;
    pub const REQUEST_AUTH_USER_ID_HEADER: &str = "x-mock-authenticated-user-id";
    pub const REQUEST_AUTH_USER_INVALID_HEADER: &str = "x-mock-authenticated-invalid";
    pub async fn mock_require_auth(
        req: Request<axum::body::Body>,
        next: Next,
    ) -> Result<Response, StatusCode> {
        let mut req = req;
        let invalid_present = req
            .headers()
            .get(REQUEST_AUTH_USER_INVALID_HEADER)
            .is_some();
        let user_id_header = req.headers().get(REQUEST_AUTH_USER_ID_HEADER).cloned();
        if invalid_present {
            return handle_unauthenticated().await;
        }
        let user = req
            .extensions_mut()
            .get_or_insert_with(|| RequestInfo { user_id: None });
        user.user_id = Some(if let Some(user_id_header) = user_id_header {
            let user_id_str = user_id_header
                .to_str()
                .map_err(|_| StatusCode::UNAUTHORIZED)?;
            Uuid::parse_str(user_id_str).map_err(|_| StatusCode::UNAUTHORIZED)?
        } else {
            Uuid::new_v4()
        });
        Ok(next.run(req).await)
    }
 }
--- a/apps/api/src/routes.rs
+++ b/apps/api/src/routes.rs
@@ -8,35 +8,45 @@ use std::sync::Arc;
 use axum::{Extension, Router};
 use migration::sea_orm::DatabaseConnection;
-use crate::{middlewares, services::settings::SettingsStore};
+use crate::{
    configs::{ProgramSettings, server::CORSSettings},
    middlewares,
    services::{
        AppService, ServiceState,
        auth::authentication::{AuthenticationService, strategies::password::PasswordStrategy},
    },
 };
 #[derive(Clone)]
 pub struct AppState {
    // TODO: remove dead_code allowances when fields are used
    #[allow(dead_code)]
    pub database_connection: Arc<DatabaseConnection>,
    // TODO: remove dead_code allowances when fields are used
    #[allow(dead_code)]
    pub service: Arc<AppService>,
    pub config: Arc<ProgramSettings>,
 }
-pub type ServiceState<T> = Arc<T>;
+pub struct AuthStrategy {
-
+    pub password: ServiceState<PasswordStrategy>,
 pub struct AppService {
    #[allow(dead_code)] // TODO: remove when used
    pub settings: ServiceState<dyn SettingsStore>,
 }
-pub fn get_root_router(state: impl Into<Arc<AppState>>) -> Router {
+pub struct AuthState {
    pub strategy: AuthStrategy,
    pub authentication: ServiceState<dyn AuthenticationService>,
 }
 pub fn get_root_router(
    state: impl Into<Arc<AppState>>,
    cors_settings: Arc<CORSSettings>,
 ) -> Router {
    let mut router = Router::new();
    let state = state.into();
    router = router
-        .nest("/api", api::get_api_router())
+        .nest("/api", api::get_api_router(state.clone()))
        .merge(view::get_view_router());
-    router = middlewares::apply_root_middleware(router);
+    router = middlewares::apply_root_middleware(router, state.clone(), cors_settings);
-    router = router.layer(Extension(state.into()));
+    router = router.layer(Extension(state.clone()));
    router
 }
--- a/apps/api/src/routes/api.rs
+++ b/apps/api/src/routes/api.rs
@@ -1,13 +1,22 @@
 mod auth;
 mod health;
 mod helper;
 mod openapi;
 mod restricted;
 use std::sync::Arc;
 use crate::routes::AppState;
 pub use self::openapi::ApiDoc;
 use axum::{Router, response::IntoResponse, routing::any};
-pub fn get_api_router() -> Router {
+pub fn get_api_router(state: Arc<AppState>) -> Router {
    Router::new()
-        .nest("/health", health::get_health_router())
+        .nest("/health", health::get_health_router(state.clone()))
        .merge(auth::get_basic_auth_router(state.clone()))
        .merge(restricted::get_restricted_router(state.clone()))
        // explicit fallback for unmatched API routes
        .route("/{*wildcard}", any(api_fallback_handler))
 }
--- a/apps/api/src/routes/api/auth.rs
+++ b/apps/api/src/routes/api/auth.rs
@@ -0,0 +1,15 @@
 pub mod init_admin;
 pub mod login;
 use std::sync::Arc;
 use axum::{Router, routing::post};
 use crate::routes::AppState;
 pub fn get_basic_auth_router(state: Arc<AppState>) -> Router {
    Router::new()
        .route("/auth/login", post(login::login))
        .route("/auth/init_admin", post(init_admin::init_admin))
        .with_state(state)
 }
--- a/apps/api/src/routes/api/auth/init_admin.rs
+++ b/apps/api/src/routes/api/auth/init_admin.rs
@@ -0,0 +1,143 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::State,
    http::StatusCode,
    response::{IntoResponse, Response},
 };
 use database::generated::entities::user;
 use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, TransactionTrait};
 use serde::{Deserialize, Serialize};
 use serde_json::{Value, from_value};
 use tracing::{debug, error, info, warn};
 use crate::{
    helpers::constants::ADMIN_INIT_SECRET_KEY,
    routes::{AppState, api::openapi::tag::AUTH_TAG},
    services::auth::user::NewUser,
 };
 /// Login request payload
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct AdminInitRequest {
    username: String,
    password: String,
    // The secret key required to initialize the admin user
    setup_secret: String,
 }
 /// Initializes the admin user
 ///
 /// Initializes the admin user if no admin user exists and the correct setup secret is provided.
 #[utoipa::path(
        post,
        path = "/api/auth/init_admin",
        request_body = AdminInitRequest,
        responses(
            (status = 200, description = "Admin user initialized successfully"),
            (status = 400, description = "Invalid request payload"),
            (status = 401, description = "Unauthorized: Admin user already exists or invalid setup secret"),
            (status = 500, description = "Internal server error"),
        ),
        tag = AUTH_TAG,
    )]
 pub async fn init_admin(
    State(state): State<Arc<AppState>>,
    Json(payload): Json<Value>,
 ) -> Response {
    if user::Entity::find()
        .filter(user::Column::IsAdmin.eq(true))
        .filter(user::Column::IsActive.eq(true))
        .one(state.database_connection.as_ref())
        .await
        .map_err(|err| {
            error!("Failed to query for existing admin user: {}", err);
            StatusCode::INTERNAL_SERVER_ERROR
        })
        .unwrap_or(None)
        .is_some()
    {
        warn!("Admin user already exists. Skipping admin initialization.");
        return (StatusCode::UNAUTHORIZED).into_response();
    }
    let init_request: AdminInitRequest = match from_value(payload) {
        Ok(req) => req,
        Err(e) => {
            warn!("Invalid login request: {}", e);
            return (StatusCode::BAD_REQUEST).into_response();
        }
    };
    let admin_secret = match state
        .service
        .settings
        .get_setting(ADMIN_INIT_SECRET_KEY)
        .await
    {
        Ok(secret) => secret,
        Err(e) => {
            error!(
                "Failed to retrieve admin initialization secret. Invalid internal state?: {}",
                e
            );
            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
        }
    };
    if init_request.setup_secret != admin_secret {
        info!("{},{}", init_request.setup_secret, admin_secret);
        warn!("Invalid admin initialization secret provided.");
        return (StatusCode::UNAUTHORIZED).into_response();
    }
    let mut tx = match state.database_connection.begin().await {
        Ok(tx) => tx,
        Err(e) => {
            error!("Failed to start transaction: {}", e);
            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
        }
    };
    let user = match state
        .service
        .user
        .create_user(
            NewUser {
                username: init_request.username,
                is_admin: true,
            },
            Some(&mut tx),
        )
        .await
    {
        Ok(user) => user,
        Err(e) => {
            error!("Failed to initialize admin user: {}", e);
            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
        }
    };
    debug!("Created admin user with ID: {}", user.id);
    match state
        .service
        .auth_state
        .strategy
        .password
        .create_identity(user.id, &init_request.password, Some(&mut tx))
        .await
    {
        Ok(_) => {}
        Err(e) => {
            error!("Failed to create admin user identity: {}", e);
            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
        }
    };
    tx.commit().await.unwrap_or_else(|e| {
        error!("Failed to commit transaction: {}", e);
    });
    (StatusCode::OK).into_response()
 }
--- a/apps/api/src/routes/api/auth/login.rs
+++ b/apps/api/src/routes/api/auth/login.rs
@@ -0,0 +1,107 @@
 use std::sync::Arc;
 use axum::{
    Json,
    body::Body,
    extract::State,
    http::{StatusCode, header::SET_COOKIE},
    response::{IntoResponse, Response},
 };
 use serde::{Deserialize, Serialize};
 use serde_json::{Value, from_value};
 use tracing::{error, warn};
 use crate::{
    helpers::constants::JWT_COOKIE_NAME,
    routes::{AppState, api::openapi::tag::AUTH_TAG},
 };
 /// Login request payload
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct LoginRequest {
    username: String,
    password: String,
 }
 /// Login endpoint
 ///
 /// Authenticates a user and returns a JWT in an HttpOnly cookie.
 #[utoipa::path(
        post,
        path = "/api/auth/login",
        request_body = LoginRequest,
        responses(
            (status = 200, description = "User authenticated successfully", body = ()),
            (status = 401, description = "Authentication failed"),
            (status = 500, description = "Internal server error"),
        ),
        tag = AUTH_TAG,
    )]
 pub async fn login(State(state): State<Arc<AppState>>, Json(payload): Json<Value>) -> Response {
    let login_request: LoginRequest = match from_value(payload) {
        Ok(req) => req,
        Err(e) => {
            warn!("Invalid login request: {}", e);
            return (StatusCode::BAD_REQUEST).into_response();
        }
    };
    let user_id = match state
        .service
        .auth_state
        .strategy
        .password
        .authenticate(&login_request.username, &login_request.password, None)
        .await
    {
        Ok(user_id) => user_id,
        Err(e) => {
            warn!(
                "Authentication failed for user {}: {}",
                login_request.username, e
            );
            return (StatusCode::UNAUTHORIZED).into_response();
        }
    };
    let (jwt, claims) = match state
        .service
        .auth_state
        .authentication
        .generate_jwt(user_id, 3600)
        .await
    {
        Ok(token) => token,
        Err(e) => {
            error!("Error generating JWT for user {}: {}", user_id, e);
            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
        }
    };
    let response_builder = Response::builder()
        .status(StatusCode::OK)
        // add jwt as cookie
        .header(
            SET_COOKIE,
            format!(
                "{}={}; HttpOnly; Path=/; Max-Age={}; SameSite=Strict;{}",
                JWT_COOKIE_NAME,
                jwt,
                claims.exp - claims.iat,
                if state.config.server.cookies.secure {
                    " Secure;"
                } else {
                    ""
                }
            ),
        )
        .body(Body::from(()));
    match response_builder {
        Ok(resp) => resp,
        Err(e) => {
            error!("Error building response: {}", e);
            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
        }
    }
 }
--- a/apps/api/src/routes/api/health.rs
+++ b/apps/api/src/routes/api/health.rs
@@ -5,8 +5,13 @@ use std::sync::Arc;
 use axum::{Router, routing::get};
-pub fn get_health_router() -> Router {
+use crate::routes::{AppState, api::health::state::AppStateWithHealth};
 pub fn get_health_router(app_state: Arc<AppState>) -> Router {
    Router::new()
        .route("/info", get(info::get_health_info))
-        .with_state(Arc::new(state::HealthState::default()))
+        .with_state(Arc::new(AppStateWithHealth {
            app_state: app_state.clone(),
            health_state: Arc::new(state::HealthState::default()),
        }))
 }
--- a/apps/api/src/routes/api/health/info.rs
+++ b/apps/api/src/routes/api/health/info.rs
@@ -3,8 +3,9 @@ use std::sync::Arc;
 use axum::{Json, extract::State, http::StatusCode};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use tracing::error;
-use crate::routes::api::{health::state::HealthState, openapi::tag::HEALTH_TAG};
+use crate::routes::api::{health::state::AppStateWithHealth, openapi::tag::HEALTH_TAG};
 const STATUS_HEALTHY: &str = "healthy";
 const STATUS_UNHEALTHY: &str = "unhealthy";
@@ -20,6 +21,8 @@ pub struct HealthInfo {
    pub up_since: DateTime<Utc>,
    /// List of error messages if unhealthy
    pub errors: Option<Vec<String>>,
    /// Is initialized
    pub is_initialized: bool,
 }
 /// Health check endpoint
@@ -35,12 +38,23 @@ pub struct HealthInfo {
        tag = HEALTH_TAG,
    )]
 pub async fn get_health_info(
-    State(state): State<Arc<HealthState>>,
+    State(app_state_with_health): State<Arc<AppStateWithHealth>>,
 ) -> (StatusCode, Json<HealthInfo>) {
    #[allow(unused_mut)]
    let mut errors = vec![];
    let is_healthy = errors.is_empty();
    let health_state = &app_state_with_health.health_state;
    let app_state = &app_state_with_health.app_state;
    let is_initialized = match app_state.service.server_state.is_server_initialized().await {
        Ok(initialized) => initialized,
        Err(err) => {
            errors.push("Failed to determine if server is initialized".to_string());
            error!("Error checking server initialization status: {}", err);
            false
        }
    };
    (
        if is_healthy {
@@ -55,8 +69,9 @@ pub async fn get_health_info(
                STATUS_UNHEALTHY.into()
            },
            version: env!("CARGO_PKG_VERSION").into(),
-            up_since: *state.get_start_at(),
+            up_since: *health_state.get_start_at(),
            errors: if is_healthy { None } else { Some(errors) },
            is_initialized,
        }),
    )
 }
@@ -64,29 +79,60 @@ pub async fn get_health_info(
 #[cfg(test)]
 mod test {
    use super::*;
    use crate::configs::FromConfig;
    use crate::routes::{AppState, api::health::state::HealthState};
    use crate::services::get_app_service;
    use axum::body::to_bytes;
    use axum::{
        Router,
        body::Body,
        http::{Request, StatusCode},
    };
    use sea_orm::MockDatabase;
    use tower::ServiceExt;
    #[tokio::test]
    async fn test_get_health_info() {
        let health_state = Arc::new(HealthState::default());
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let db = Arc::new(db);
        let app_state = Arc::new(AppState {
            database_connection: db.clone(),
            config: Arc::new(crate::configs::ProgramSettings::mock()),
            service: Arc::new(get_app_service(
                &db.clone(),
                &crate::configs::ProgramSettings::mock(),
            )),
        });
        let app = Router::new()
            .route("/info", axum::routing::get(get_health_info))
-            .with_state(health_state);
+            .with_state(Arc::new(AppStateWithHealth {
                app_state: app_state.clone(),
                health_state: health_state.clone(),
            }));
        let response = app
-            .oneshot(Request::builder().uri("/info").body(Body::empty()).unwrap())
+            .oneshot(
                Request::builder()
                    .uri("/info")
                    .body(Body::empty())
                    .expect("Failed to build request"),
            )
            .await
            .unwrap();
        assert_eq!(response.status(), StatusCode::OK);
-        let body = to_bytes(response.into_body(), 1024 * 1024).await.unwrap(); // Set limit to 1 MB
+        let body = to_bytes(response.into_body(), 1024 * 1024)
-        let health_info: HealthInfo = serde_json::from_slice(&body).unwrap();
+            .await
            .expect("Failed to read response body"); // Set limit to 1 MB
        let health_info: HealthInfo =
            serde_json::from_slice(&body).expect("Failed to deserialize response body");
        assert_eq!(health_info.status, STATUS_HEALTHY);
        assert_eq!(health_info.version, env!("CARGO_PKG_VERSION"));
        assert!(health_info.errors.is_none());
--- a/apps/api/src/routes/api/health/state.rs
+++ b/apps/api/src/routes/api/health/state.rs
@@ -1,5 +1,14 @@
 use std::sync::Arc;
 use chrono::{DateTime, Utc};
 use crate::routes::AppState;
 pub struct AppStateWithHealth {
    pub app_state: Arc<AppState>,
    pub health_state: Arc<HealthState>,
 }
 pub struct HealthState {
    start_at: DateTime<Utc>,
 }
--- a/apps/api/src/routes/api/helper.rs
+++ b/apps/api/src/routes/api/helper.rs
@@ -0,0 +1 @@
 pub mod pagination;
--- a/apps/api/src/routes/api/helper/pagination.rs
+++ b/apps/api/src/routes/api/helper/pagination.rs
@@ -0,0 +1,76 @@
 use axum::{
    extract::FromRequestParts,
    http::{StatusCode, request::Parts},
 };
 use serde::{Deserialize, Serialize};
 use crate::helpers::database::PaginationFilter;
 #[derive(Serialize, Deserialize, utoipa::ToSchema, Clone)]
 /// Pagination parameters for API requests
 pub struct Pagination {
    /// Page number (1-based)
    pub page: u32,
    /// Items per page
    pub per_page: u32,
 }
 impl Default for Pagination {
    fn default() -> Self {
        Self {
            page: 1,
            per_page: 20,
        }
    }
 }
 impl From<Pagination> for PaginationFilter {
    fn from(pagination: Pagination) -> Self {
        Self {
            page: pagination.page as u64,
            per_page: pagination.per_page as u64,
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 /// Pagination information included in API responses
 pub struct PaginationInfo {
    /// Total number of items
    pub total_items: u64,
    /// Total number of pages
    pub total_pages: u32,
    /// Current page number
    pub current_page: u32,
    /// Items per page
    pub per_page: u32,
 }
 /// Extractor for pagination parameters from query string
 pub struct ExtractPagination(pub Pagination);
 impl<S> FromRequestParts<S> for ExtractPagination
 where
    S: Send + Sync,
 {
    type Rejection = (StatusCode, &'static str);
    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let query = parts.uri.query().unwrap_or("");
        let pagination: Pagination = serde_urlencoded::from_str(query).unwrap_or_default();
        // validation
        if pagination.page == 0 {
            return Err((StatusCode::BAD_REQUEST, "page must be greater than 0"));
        }
        if pagination.per_page < 1 || pagination.per_page > 100 {
            return Err((
                StatusCode::BAD_REQUEST,
                "per_page must be between 1 and 100",
            ));
        }
        Ok(ExtractPagination(pagination))
    }
 }
--- a/apps/api/src/routes/api/openapi.rs
+++ b/apps/api/src/routes/api/openapi.rs
@@ -1,18 +1,77 @@
 pub mod tag {
    /// Health tag constant
    pub const HEALTH_TAG: &str = "Health";
    pub const AUTH_TAG: &str = "Authentication";
    pub const USER_TAG: &str = "User";
    pub const NGINX_TAG: &str = "Nginx";
 }
 #[derive(utoipa::OpenApi)]
 #[openapi(
  paths(
-    crate::routes::api::health::info::get_health_info
+    crate::routes::api::health::info::get_health_info,
    // Authentication paths
    crate::routes::api::auth::login::login,
    crate::routes::api::auth::init_admin::init_admin,
    // User management paths
    crate::routes::api::restricted::user::me::get_user_info,
    // Nginx upstream management
    crate::routes::api::restricted::nginx::upstream::create_upstream::create_upstream,
    crate::routes::api::restricted::nginx::upstream::create_upstream_target::add_upstream_target,
    crate::routes::api::restricted::nginx::upstream::get_upstream::get_upstream_list,
    crate::routes::api::restricted::nginx::upstream::get_upstream::get_upstream,
    crate::routes::api::restricted::nginx::upstream::get_upstream_target::get_upstream_target,
    crate::routes::api::restricted::nginx::upstream::update_upstream::update_upstream,
    crate::routes::api::restricted::nginx::upstream::update_upstream_target::update_upstream_target,
    crate::routes::api::restricted::nginx::upstream::remove_upstream::remove_upstream,
    crate::routes::api::restricted::nginx::upstream::remove_upstream_target::remove_upstream_target,
    // Nginx proxy host management
    crate::routes::api::restricted::nginx::proxy_host::get_proxy::get_proxy_list,
    crate::routes::api::restricted::nginx::proxy_host::get_proxy::get_proxy,
    crate::routes::api::restricted::nginx::proxy_host::create_proxy::create_proxy,
    crate::routes::api::restricted::nginx::proxy_host::update_proxy::update_proxy,
    crate::routes::api::restricted::nginx::proxy_host::remove_proxy::remove_proxy,
    // Proxy host locations
    crate::routes::api::restricted::nginx::proxy_host::create_location::create_location,
    crate::routes::api::restricted::nginx::proxy_host::get_location::get_location,
    crate::routes::api::restricted::nginx::proxy_host::update_location::update_location,
    crate::routes::api::restricted::nginx::proxy_host::remove_location::remove_location,
  ),
  components(
-      schemas(crate::routes::api::health::info::HealthInfo) // Register any schemas used in your paths
+      schemas(crate::routes::api::health::info::HealthInfo),
      // Authentication schemas
      schemas(crate::routes::api::auth::login::LoginRequest),
      schemas(crate::routes::api::auth::init_admin::AdminInitRequest),
      // User management schemas
      schemas(crate::routes::api::restricted::user::me::UserInfo),
      // Nginx upstream schemas
      schemas(crate::routes::api::restricted::nginx::upstream::create_upstream::CreateUpstreamRequestBody),
      schemas(crate::routes::api::restricted::nginx::upstream::create_upstream_target::CreateUpstreamTargetInfo),
      schemas(crate::routes::api::restricted::nginx::upstream::get_upstream::GetUpstreamParams),
      schemas(crate::routes::api::restricted::nginx::upstream::get_upstream_target::GetUpstreamTargetsParams),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpstreamTargetInfo),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpstreamInfoResponse),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpstreamListResponse),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpstreamTargetInfoResponse),
      schemas(crate::routes::api::restricted::nginx::upstream::update_upstream::UpdateUpstreamRequestBody),
      schemas(crate::routes::api::restricted::nginx::upstream::update_upstream_target::UpdateUpstreamTargetRequestBody),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpdateUpstreamInfoResponse),
      schemas(crate::routes::api::restricted::nginx::upstream::info::response::UpdateUpstreamTargetInfoResponse),
        // Nginx proxy host schemas
        schemas(crate::routes::api::restricted::nginx::proxy_host::create_proxy::CreateLocationReq),
        schemas(crate::routes::api::restricted::nginx::proxy_host::create_proxy::CreateProxyRequestBody),
        schemas(crate::routes::api::restricted::nginx::proxy_host::create_location::CreateLocationRequestBody),
        schemas(crate::routes::api::restricted::nginx::proxy_host::update_proxy::UpdateProxyRequestBody),
        schemas(crate::routes::api::restricted::nginx::proxy_host::update_location::UpdateLocationRequestBody),
        schemas(crate::routes::api::restricted::nginx::proxy_host::info::response::LocationInfoResponse),
        schemas(crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse),
        schemas(crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyListResponse),
  ),
  tags(
-      (name = tag::HEALTH_TAG, description = "Health information API")
+      (name = tag::HEALTH_TAG, description = "Health information API"),
      (name = tag::AUTH_TAG, description = "Authentication API"),
      (name = tag::USER_TAG, description = "User management API"),
      (name = tag::NGINX_TAG, description = "Nginx management API")
  )
 )]
 pub struct ApiDoc;
--- a/apps/api/src/routes/api/restricted.rs
+++ b/apps/api/src/routes/api/restricted.rs
@@ -0,0 +1,18 @@
 pub mod nginx;
 pub mod user;
 use std::sync::Arc;
 use axum::Router;
 use crate::{middlewares::require_auth::require_auth, routes::AppState};
 pub fn get_restricted_router(state: Arc<AppState>) -> Router {
    Router::new()
        .nest("/user", user::get_user_router(state.clone()))
        .nest("/nginx", nginx::get_nginx_router(state.clone()))
        .layer(axum::middleware::from_fn_with_state(
            state.clone(),
            require_auth,
        ))
 }
--- a/apps/api/src/routes/api/restricted/nginx.rs
+++ b/apps/api/src/routes/api/restricted/nginx.rs
@@ -0,0 +1,14 @@
 pub mod proxy_host;
 pub mod upstream;
 use std::sync::Arc;
 use axum::Router;
 use crate::routes::AppState;
 pub fn get_nginx_router(state: Arc<AppState>) -> Router {
    Router::new()
        .merge(proxy_host::get_proxy_router(state.clone()))
        .merge(upstream::get_upstream_router(state.clone()))
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host.rs
@@ -0,0 +1,43 @@
 pub mod create_location;
 pub mod create_proxy;
 pub mod get_location;
 pub mod get_proxy;
 pub mod info;
 pub mod remove_location;
 pub mod remove_proxy;
 pub mod update_location;
 pub mod update_proxy;
 use std::sync::Arc;
 use axum::{
    Router,
    routing::{get, post},
 };
 use crate::routes::AppState;
 pub fn get_proxy_router(state: Arc<AppState>) -> Router {
    Router::new()
        .route(
            "/proxy_hosts",
            get(get_proxy::get_proxy_list).post(create_proxy::create_proxy),
        )
        .route(
            "/proxy_hosts/{proxy_id}",
            get(get_proxy::get_proxy)
                .patch(update_proxy::update_proxy)
                .delete(remove_proxy::remove_proxy),
        )
        .route(
            "/proxy_hosts/{proxy_id}/locations",
            post(create_location::create_location),
        )
        .route(
            "/locations/{location_id}",
            get(get_location::get_location)
                .patch(update_location::update_location)
                .delete(remove_location::remove_location),
        )
        .with_state(state)
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/create_location.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/create_location.rs
@@ -0,0 +1,362 @@
 use std::sync::Arc;
 use axum::{Json, extract::State, response::Result as AxumResult};
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::proxy_host::info::response::LocationInfoResponse,
        },
    },
    services::nginx::info::location::CreateLocationInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 #[serde(untagged)]
 pub enum CreateLocationRequestBody {
    // #[serde(rename = "upstream_id")]
    UpstreamId(CreateLocationRequestBodyByUpstreamId),
    // #[serde(rename = "proxy_pass")]
    ProxyPass(CreateLocationRequestBodyByProxyPass),
 }
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateLocationRequestBodyByUpstreamId {
    pub path: String,
    pub match_type: String,
    pub order: i64,
    pub upstream_id: uuid::Uuid,
    pub preserve_host_header: Option<bool>,
    pub allowed_methods: Option<Vec<String>>,
    pub custom_config: Option<String>,
 }
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateLocationRequestBodyByProxyPass {
    pub path: String,
    pub match_type: String,
    pub order: i64,
    pub proxy_pass_protocol: String,
    pub proxy_pass_host: String,
    pub proxy_pass_port: i64,
    pub preserve_host_header: Option<bool>,
    pub allowed_methods: Option<Vec<String>>,
    pub custom_config: Option<String>,
 }
 impl From<(uuid::Uuid, CreateLocationRequestBody)> for CreateLocationInfo {
    fn from(val: (uuid::Uuid, CreateLocationRequestBody)) -> Self {
        match val.1 {
            CreateLocationRequestBody::UpstreamId(body) => Self::from((val.0, body)),
            CreateLocationRequestBody::ProxyPass(body) => Self::from((val.0, body)),
        }
    }
 }
 impl From<(uuid::Uuid, CreateLocationRequestBodyByUpstreamId)> for CreateLocationInfo {
    fn from((proxy_id, payload): (uuid::Uuid, CreateLocationRequestBodyByUpstreamId)) -> Self {
        Self {
            host_id: proxy_id,
            path: payload.path,
            match_type: payload.match_type,
            order: payload.order,
            upstream_id: Some(payload.upstream_id),
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: payload.preserve_host_header,
            allowed_methods: payload.allowed_methods,
            custom_config: payload.custom_config,
            enabled: true,
        }
    }
 }
 impl From<(uuid::Uuid, CreateLocationRequestBodyByProxyPass)> for CreateLocationInfo {
    fn from((proxy_id, payload): (uuid::Uuid, CreateLocationRequestBodyByProxyPass)) -> Self {
        Self {
            host_id: proxy_id,
            path: payload.path,
            match_type: payload.match_type,
            order: payload.order,
            upstream_id: None,
            proxy_pass_protocol: Some(payload.proxy_pass_protocol),
            proxy_pass_host: Some(payload.proxy_pass_host),
            proxy_pass_port: Some(payload.proxy_pass_port),
            preserve_host_header: payload.preserve_host_header,
            allowed_methods: payload.allowed_methods,
            custom_config: payload.custom_config,
            enabled: true,
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    post,
    path = "/api/nginx/proxy_hosts/{proxy_id}/locations",
    request_body = CreateLocationRequestBody,
    responses(
        (status = 200, description = "Location created", body = LocationInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn create_location(
    _request_info: AuthenticatedRequestInfo,
    axum::extract::Path(proxy_id): axum::extract::Path<uuid::Uuid>,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<CreateLocationRequestBody>,
 ) -> AxumResult<Json<LocationInfoResponse>, ApiError> {
    let svc = &state.service.nginx.get_location_service();
    let create_info: CreateLocationInfo = (proxy_id, payload).into();
    let mut tx = state.database_connection.begin().await?;
    let info = svc.create_location(create_info, Some(&mut tx)).await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(info.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{location, upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::proxy_host::{
            create_location::CreateLocationRequestBodyByProxyPass,
            create_location::CreateLocationRequestBodyByUpstreamId, get_proxy_router,
        },
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_create_location_succeeds_returns_created() {
        let ph_id = uuid::Uuid::new_v4();
        let loc_id = uuid::Uuid::new_v4();
        let loc_model = location::Model {
            id: loc_id,
            host_id: ph_id,
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![loc_model.clone()]])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateLocationRequestBodyByUpstreamId {
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: up_id,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
        };
        let res = server
            .post(&format!("/proxy_hosts/{}/locations", ph_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::LocationInfoResponse>();
        assert_eq!(body.id, loc_id);
    }
    #[tokio::test]
    async fn handler_create_location_proxy_pass_succeeds_returns_created() {
        let ph_id = uuid::Uuid::new_v4();
        let loc_id = uuid::Uuid::new_v4();
        let loc_model = location::Model {
            id: loc_id,
            host_id: ph_id,
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: Some("http".to_string()),
            proxy_pass_host: Some("127.0.0.1".to_string()),
            proxy_pass_port: Some(8080),
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![loc_model.clone()]])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateLocationRequestBodyByProxyPass {
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            proxy_pass_protocol: "http".to_string(),
            proxy_pass_host: "127.0.0.1".to_string(),
            proxy_pass_port: 8080,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
        };
        let res = server
            .post(&format!("/proxy_hosts/{}/locations", ph_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::LocationInfoResponse>();
        assert_eq!(body.id, loc_id);
    }
    #[tokio::test]
    async fn handler_create_location_invalid_payload_returns_bad_request() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .post(&format!("/proxy_hosts/{}/locations", uuid::Uuid::new_v4()))
            .json(&serde_json::json!({}))
            .await;
        res.assert_status(StatusCode::UNPROCESSABLE_ENTITY);
    }
    #[tokio::test]
    async fn handler_create_location_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateLocationRequestBodyByUpstreamId {
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: uuid::Uuid::new_v4(),
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
        };
        let res = server
            .post(&format!("/proxy_hosts/{}/locations", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/create_proxy.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/create_proxy.rs
@@ -0,0 +1,310 @@
 use std::sync::Arc;
 use axum::{Json, extract::State, response::Result as AxumResult};
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse,
        },
    },
    services::nginx::info::proxy_host::ProxyHostCreateInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateLocationReq {
    pub path: String,
    pub match_type: String,
    pub order: i64,
    pub upstream_id: Option<uuid::Uuid>,
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{location, proxy_host, upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::proxy_host::create_proxy::CreateLocationReq as ReqLocation,
        routes::api::restricted::nginx::proxy_host::create_proxy::CreateProxyRequestBody,
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_create_proxy_succeeds_returns_created() {
        let ph_id = uuid::Uuid::new_v4();
        let ph_model = proxy_host::Model {
            id: ph_id,
            name: Some("myproxy".to_string()),
            domain: "example.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let loc_id = uuid::Uuid::new_v4();
        let loc_model = location::Model {
            id: loc_id,
            host_id: ph_id,
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![ph_model.clone()]])
            .append_query_results(vec![vec![loc_model.clone()]])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateProxyRequestBody {
            name: Some("myproxy".to_string()),
            domain: "example.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            locations: vec![ReqLocation {
                path: "/".to_string(),
                match_type: "prefix".to_string(),
                order: 1,
                upstream_id: None,
            }],
        };
        let res = server.post("/proxy_hosts").json(&payload).await;
        res.assert_status_ok();
        let body: crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse =
            res.json();
        assert_eq!(body.id, ph_id);
        assert_eq!(body.domain, "example.com");
        assert_eq!(body.locations.len(), 1);
        assert_eq!(body.locations[0].id, loc_id);
    }
    #[tokio::test]
    async fn handler_create_proxy_invalid_payload_returns_bad_request() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .post("/proxy_hosts")
            .json(&serde_json::json!({}))
            .await;
        res.assert_status(StatusCode::UNPROCESSABLE_ENTITY);
    }
    #[tokio::test]
    async fn handler_create_proxy_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateProxyRequestBody {
            name: Some("myproxy".to_string()),
            domain: "example.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            locations: vec![],
        };
        let res = server
            .post("/proxy_hosts")
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
 }
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateProxyRequestBody {
    pub name: Option<String>,
    pub domain: String,
    pub scheme: String,
    pub listen_port: i64,
    pub forward_scheme: String,
    pub forward_host: Option<String>,
    pub forward_port: Option<i64>,
    pub preserve_host_header: bool,
    pub enable_websocket: bool,
    pub enabled: bool,
    pub meta: Option<serde_json::Value>,
    pub default_upstream_id: Option<uuid::Uuid>,
    pub locations: Vec<CreateLocationReq>,
 }
 impl From<CreateProxyRequestBody> for ProxyHostCreateInfo {
    fn from(val: CreateProxyRequestBody) -> Self {
        Self {
            name: val.name,
            domain: val.domain,
            scheme: val.scheme,
            listen_port: val.listen_port,
            forward_scheme: val.forward_scheme,
            forward_host: val.forward_host,
            forward_port: val.forward_port,
            preserve_host_header: val.preserve_host_header,
            enable_websocket: val.enable_websocket,
            enabled: val.enabled,
            meta: val.meta,
            default_upstream_id: val.default_upstream_id,
            created_by: None,
            locations: val
                .locations
                .into_iter()
                .map(
                    |l| crate::services::nginx::info::location::CreateLocationInfo {
                        host_id: uuid::Uuid::nil(),
                        path: l.path,
                        match_type: l.match_type,
                        order: l.order,
                        upstream_id: l.upstream_id,
                        proxy_pass_protocol: None,
                        proxy_pass_host: None,
                        proxy_pass_port: None,
                        preserve_host_header: None,
                        allowed_methods: None,
                        custom_config: None,
                        enabled: true,
                    },
                )
                .collect(),
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    post,
    path = "/api/nginx/proxy_hosts",
    request_body = CreateProxyRequestBody,
    responses(
        (status = 200, description = "Proxy created successfully", body = ProxyHostInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn create_proxy(
    request_info: AuthenticatedRequestInfo,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<CreateProxyRequestBody>,
 ) -> AxumResult<Json<ProxyHostInfoResponse>, ApiError> {
    let proxy_service = &state.service.nginx.get_proxy_service();
    let mut create_info: ProxyHostCreateInfo = payload.into();
    create_info.created_by = Some(request_info.user_id);
    let mut tx = state.database_connection.begin().await?;
    let info = proxy_service
        .create_proxy(create_info, &Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(info.into()))
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/get_location.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/get_location.rs
@@ -0,0 +1,150 @@
 use std::sync::Arc;
 use crate::services::nginx::location::GetLocationOptions;
 use axum::{
    Json,
    extract::{Path, Query, State},
    response::Result as AxumResult,
 };
 use serde::{Deserialize, Serialize};
 use crate::{
    errors::api_error::ApiError,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::proxy_host::info::response::LocationInfoResponse,
        },
    },
 };
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct GetLocationParams {
    pub include_upstream: Option<bool>,
 }
 pub struct ConcreteGetLocationParams {
    pub include_upstream: bool,
 }
 impl From<GetLocationParams> for ConcreteGetLocationParams {
    fn from(params: GetLocationParams) -> Self {
        Self {
            include_upstream: params.include_upstream.unwrap_or(false),
        }
    }
 }
 #[utoipa::path(
    get,
    path = "/api/nginx/locations/{location_id}",
    responses(
        (status = 200, description = "Get location info", body = LocationInfoResponse),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 #[axum::debug_handler]
 pub async fn get_location(
    Path(location_id): Path<uuid::Uuid>,
    Query(params): Query<GetLocationParams>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<LocationInfoResponse>, ApiError> {
    let concrete_params: ConcreteGetLocationParams = params.into();
    let svc = &state.service.nginx.get_location_service();
    let info = if concrete_params.include_upstream {
        svc.get_location(
            location_id,
            Some(GetLocationOptions {
                include_upstream: true,
                filter_by_enabled: false,
            }),
            None,
        )
        .await?
    } else {
        svc.get_location(location_id, None, None).await?
    };
    Ok(Json(info.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase};
    use database::generated::entities::{location, proxy_host};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::get_app_service,
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let app_service = get_app_service(&Arc::new(db.clone()), &program_settings);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state)
    }
    #[tokio::test]
    async fn handler_get_location_returns_info() {
        let loc_id = uuid::Uuid::new_v4();
        let loc_model = location::Model {
            id: loc_id,
            host_id: uuid::Uuid::new_v4(),
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![(
                loc_model.clone(),
                Option::<proxy_host::Model>::None,
            )]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.get(&format!("/locations/{}", loc_id)).await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::LocationInfoResponse>();
        assert_eq!(body.id, loc_id);
    }
    #[tokio::test]
    async fn handler_get_location_not_found_returns_not_found() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .get(&format!("/locations/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/get_proxy.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/get_proxy.rs
@@ -0,0 +1,281 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, Query, State},
    response::Result as AxumResult,
 };
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::services::nginx::proxy_host::{ProxyHostGetOptions, ProxyHostListOptions};
 use crate::{
    errors::{api_error::ApiError, service_error::ServiceError},
    routes::{
        AppState,
        api::restricted::nginx::proxy_host::info::response::{
            ProxyHostInfoResponse, ProxyListResponse,
        },
        api::{
            helper::pagination::{ExtractPagination, PaginationInfo},
            openapi::tag::NGINX_TAG,
        },
    },
 };
 #[utoipa::path(
    get,
    path = "/api/nginx/proxy_hosts",
    responses(
        (status = 200, description = "List proxies", body = ProxyListResponse),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 #[axum::debug_handler]
 pub async fn get_proxy_list(
    ExtractPagination(pagination): ExtractPagination,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<ProxyListResponse>, ServiceError> {
    let svc = &state.service.nginx.get_proxy_service();
    let (proxies_res, proxies_count_res) = tokio::join!(
        svc.get_proxies(
            Some(pagination.clone().into()),
            Some(ProxyHostListOptions {
                include_upstream: true,
                filter_by_enabled: false,
            }),
            &None,
        ),
        svc.get_total_proxies(None, &None),
    );
    let proxies = proxies_res?;
    let proxies_count = proxies_count_res?;
    let items: Vec<ProxyHostInfoResponse> = proxies.into_iter().map(|i| i.into()).collect();
    Ok(Json(ProxyListResponse {
        items,
        pagination: PaginationInfo {
            total_items: proxies_count,
            total_pages: if proxies_count == 0 {
                0
            } else {
                (proxies_count as f32 / pagination.per_page as f32).ceil() as u32
            },
            current_page: pagination.page,
            per_page: pagination.per_page,
        },
    }))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, Value};
    use database::generated::entities::{location, proxy_host};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::get_app_service,
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let app_service = get_app_service(&Arc::new(db.clone()), &program_settings);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state)
    }
    #[tokio::test]
    async fn handler_get_proxy_list_returns_list() {
        let p1 = proxy_host::Model {
            id: uuid::Uuid::new_v4(),
            name: Some("p1".to_string()),
            domain: "a.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let p2 = proxy_host::Model {
            id: uuid::Uuid::new_v4(),
            name: Some("p2".to_string()),
            domain: "b.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![
                (p1.clone(), None::<location::Model>),
                (p2.clone(), None::<location::Model>),
            ]])
            .append_query_results(vec![vec![std::collections::BTreeMap::from([(
                "count".to_string(),
                Value::BigInt(Some(2)),
            )])]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.get("/proxy_hosts").await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyListResponse>();
        assert_eq!(body.items.len(), 2);
        assert_eq!(body.pagination.current_page, 1u32);
        assert_eq!(body.pagination.total_pages, 1u32);
    }
    #[tokio::test]
    async fn handler_get_proxy_with_locations_returns_locations() {
        let ph_id = uuid::Uuid::new_v4();
        let ph_model = proxy_host::Model {
            id: ph_id,
            name: Some("with_locations".to_string()),
            domain: "with.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let loc_model = location::Model {
            id: uuid::Uuid::new_v4(),
            host_id: ph_id,
            path: "/path".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![(ph_model.clone(), Some(loc_model.clone()))]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/proxy_hosts/{}", ph_id);
        let res = server.get(&url).await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse>();
        assert_eq!(body.id, ph_id);
        assert_eq!(body.locations.len(), 1);
        assert_eq!(body.locations[0].path, "/path");
    }
    #[tokio::test]
    async fn handler_get_proxy_not_found_returns_not_found() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .get(&format!("/proxy_hosts/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct GetProxyParams {
    pub include_upstream: Option<bool>,
 }
 pub struct ConcreteGetProxyParams {
    pub include_upstream: bool,
 }
 impl From<GetProxyParams> for ConcreteGetProxyParams {
    fn from(params: GetProxyParams) -> Self {
        Self {
            include_upstream: params.include_upstream.unwrap_or(false),
        }
    }
 }
 #[utoipa::path(
    get,
    path = "/api/nginx/proxy_hosts/{proxy_id}",
    responses(
        (status = 200, description = "Get proxy info", body = ProxyHostInfoResponse),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn get_proxy(
    Path(proxy_id): Path<Uuid>,
    Query(params): Query<GetProxyParams>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<ProxyHostInfoResponse>, ApiError> {
    let concrete_params: ConcreteGetProxyParams = params.into();
    let svc = &state.service.nginx.get_proxy_service();
    let info = if concrete_params.include_upstream {
        svc.get_proxy(
            proxy_id,
            Some(ProxyHostGetOptions {
                include_upstream: true,
                filter_by_enabled: false,
            }),
            &None,
        )
        .await?
    } else {
        svc.get_proxy(proxy_id, None, &None).await?
    };
    Ok(Json(info.into()))
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/info/mod.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/info/mod.rs
@@ -0,0 +1 @@
 pub mod response;
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/info/response.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/info/response.rs
@@ -0,0 +1,91 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use crate::routes::api::helper::pagination::PaginationInfo;
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct LocationInfoResponse {
    pub id: uuid::Uuid,
    pub host_id: uuid::Uuid,
    pub path: String,
    pub match_type: String,
    pub order: i64,
    pub upstream_id: Option<uuid::Uuid>,
    pub enabled: bool,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
 }
 impl From<crate::services::nginx::info::location::LocationInfo> for LocationInfoResponse {
    fn from(info: crate::services::nginx::info::location::LocationInfo) -> Self {
        Self {
            id: info.id,
            host_id: info.host_id,
            path: info.path,
            match_type: info.match_type,
            order: info.order,
            upstream_id: info.upstream_id,
            enabled: info.enabled,
            created_at: info.created_at,
            updated_at: info.updated_at,
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct ProxyHostInfoResponse {
    pub id: uuid::Uuid,
    pub name: Option<String>,
    pub domain: String,
    pub scheme: String,
    pub listen_port: i64,
    pub forward_scheme: String,
    pub forward_host: Option<String>,
    pub forward_port: Option<i64>,
    pub preserve_host_header: bool,
    pub enable_websocket: bool,
    pub enabled: bool,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    pub upstream: Option<ProxyHostUpstreamBasic>,
    pub locations: Vec<LocationInfoResponse>,
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct ProxyHostUpstreamBasic {
    pub id: uuid::Uuid,
    pub name: String,
    pub protocol: String,
 }
 impl From<crate::services::nginx::info::proxy_host::ProxyHostInfo> for ProxyHostInfoResponse {
    fn from(info: crate::services::nginx::info::proxy_host::ProxyHostInfo) -> Self {
        Self {
            id: info.id,
            name: info.name,
            domain: info.domain,
            scheme: info.scheme,
            listen_port: info.listen_port,
            forward_scheme: info.forward_scheme,
            forward_host: info.forward_host,
            forward_port: info.forward_port,
            preserve_host_header: info.preserve_host_header,
            enable_websocket: info.enable_websocket,
            enabled: info.enabled,
            created_at: info.created_at,
            updated_at: info.updated_at,
            upstream: info.upstream.map(|u| ProxyHostUpstreamBasic {
                id: u.id,
                name: u.name,
                protocol: u.protocol,
            }),
            locations: info.locations.into_iter().map(|l| l.into()).collect(),
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct ProxyListResponse {
    pub items: Vec<ProxyHostInfoResponse>,
    pub pagination: PaginationInfo,
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/remove_location.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/remove_location.rs
@@ -0,0 +1,159 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::openapi::tag::NGINX_TAG},
 };
 #[utoipa::path(
    delete,
    path = "/api/nginx/locations/{location_id}",
    responses(
        (status = 200, description = "Location removed successfully", body = ()),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 #[axum::debug_handler]
 pub async fn remove_location(
    _request_info: AuthenticatedRequestInfo,
    Path(location_id): Path<uuid::Uuid>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<()>, ApiError> {
    let svc = &state.service.nginx.get_location_service();
    let mut tx = state.database_connection.begin().await?;
    svc.delete_location(location_id, Some(&mut tx)).await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{location, upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_remove_location_succeeds_returns_ok() {
        let loc_id = uuid::Uuid::new_v4();
        let existing = location::Model {
            id: loc_id,
            host_id: uuid::Uuid::new_v4(),
            path: "/".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![existing.clone()]])
            .append_exec_results(vec![sea_orm::MockExecResult {
                rows_affected: 1,
                last_insert_id: 0,
            }])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/locations/{}", loc_id)).await;
        res.assert_status_ok();
    }
    #[tokio::test]
    async fn handler_remove_location_not_found_returns_not_found() {
        let empty_results: Vec<Vec<location::Model>> = vec![Vec::<location::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/locations/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/remove_proxy.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/remove_proxy.rs
@@ -0,0 +1,182 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::openapi::tag::NGINX_TAG},
 };
 #[axum::debug_handler]
 #[utoipa::path(
    delete,
    path = "/api/nginx/proxy_hosts/{proxy_id}",
    responses(
        (status = 200, description = "Proxy removed successfully", body = ()),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn remove_proxy(
    _request_info: AuthenticatedRequestInfo,
    Path(proxy_id): Path<Uuid>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<()>, ApiError> {
    let svc = &state.service.nginx.get_proxy_service();
    let mut tx = state.database_connection.begin().await?;
    svc.delete_proxy(proxy_id, &Some(&mut tx)).await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockExecResult, MockRow};
    use database::generated::entities::{proxy_host, upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_remove_proxy_succeeds_returns_ok() {
        let ph_id = uuid::Uuid::new_v4();
        let existing = proxy_host::Model {
            id: ph_id,
            name: Some("todelete".to_string()),
            domain: "d.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![existing.clone()]])
            .append_exec_results(vec![
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
            ])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/proxy_hosts/{}", ph_id)).await;
        res.assert_status_ok();
    }
    #[tokio::test]
    async fn handler_remove_proxy_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/proxy_hosts/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_remove_proxy_not_found_returns_not_found() {
        let empty_results: Vec<Vec<proxy_host::Model>> = vec![Vec::<proxy_host::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/proxy_hosts/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/update_location.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/update_location.rs
@@ -0,0 +1,220 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::proxy_host::info::response::LocationInfoResponse,
        },
    },
    services::nginx::info::location::UpdateLocationInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct UpdateLocationRequestBody {
    pub path: Option<String>,
    pub match_type: Option<String>,
    pub order: Option<i64>,
    pub upstream_id: Option<Option<uuid::Uuid>>,
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{location, upstream, upstream_target};
    use super::UpdateLocationRequestBody;
    use crate::{
        configs::{FromConfig, ProgramSettings},
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_update_location_succeeds_returns_ok() {
        let loc_id = uuid::Uuid::new_v4();
        let current = location::Model {
            id: loc_id,
            host_id: uuid::Uuid::new_v4(),
            path: "/old".to_string(),
            match_type: "prefix".to_string(),
            order: 1,
            upstream_id: None,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated = location::Model { ..current.clone() };
        let first: Vec<Vec<location::Model>> = vec![vec![current.clone()]];
        let second: Vec<Vec<location::Model>> = vec![vec![updated.clone()]];
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateLocationRequestBody {
            path: Some("/new".to_string()),
            match_type: None,
            order: None,
            upstream_id: None,
        };
        let res = server
            .patch(&format!("/locations/{}", loc_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let body = res.json::<crate::routes::api::restricted::nginx::proxy_host::info::response::LocationInfoResponse>();
        assert_eq!(body.id, loc_id);
    }
    #[tokio::test]
    async fn handler_update_location_not_found_returns_not_found() {
        let empty_results: Vec<Vec<location::Model>> = vec![Vec::<location::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateLocationRequestBody {
            path: Some("/new".to_string()),
            match_type: None,
            order: None,
            upstream_id: None,
        };
        let res = server
            .patch(&format!("/locations/{}", uuid::Uuid::new_v4()))
            .json(&payload)
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
 impl From<UpdateLocationRequestBody> for UpdateLocationInfo {
    fn from(val: UpdateLocationRequestBody) -> Self {
        Self {
            path: val.path,
            match_type: val.match_type,
            order: val.order,
            upstream_id: val.upstream_id,
            proxy_pass_protocol: None,
            proxy_pass_host: None,
            proxy_pass_port: None,
            preserve_host_header: None,
            allowed_methods: None,
            custom_config: None,
            enabled: None,
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    patch,
    path = "/api/nginx/locations/{location_id}",
    request_body = UpdateLocationRequestBody,
    responses(
        (status = 200, description = "Location updated successfully", body = LocationInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn update_location(
    _request_info: AuthenticatedRequestInfo,
    Path(location_id): Path<uuid::Uuid>,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<UpdateLocationRequestBody>,
 ) -> AxumResult<Json<LocationInfoResponse>, ApiError> {
    let svc = &state.service.nginx.get_location_service();
    let update: UpdateLocationInfo = payload.into();
    let mut tx = state.database_connection.begin().await?;
    let info = svc
        .update_location(location_id, update, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(info.into()))
 }
--- a/apps/api/src/routes/api/restricted/nginx/proxy_host/update_proxy.rs
+++ b/apps/api/src/routes/api/restricted/nginx/proxy_host/update_proxy.rs
@@ -0,0 +1,227 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse},
    services::nginx::info::proxy_host::UpdateProxyHostInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct UpdateProxyRequestBody {
    pub name: Option<Option<String>>,
    pub domain: Option<String>,
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{proxy_host, upstream, upstream_target};
    use super::UpdateProxyRequestBody;
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::proxy_host::get_proxy_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_proxy_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_update_proxy_succeeds_returns_ok() {
        let ph_id = uuid::Uuid::new_v4();
        let current = proxy_host::Model {
            id: ph_id,
            name: Some("oldname".to_string()),
            domain: "a.com".to_string(),
            scheme: "http".to_string(),
            listen_port: 80,
            forward_scheme: "http".to_string(),
            forward_host: None,
            forward_port: None,
            preserve_host_header: false,
            enable_websocket: false,
            enabled: true,
            meta: None,
            default_upstream_id: None,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated = proxy_host::Model { ..current.clone() };
        let first: Vec<Vec<proxy_host::Model>> = vec![vec![current.clone()]];
        let second: Vec<Vec<proxy_host::Model>> = vec![vec![updated.clone()]];
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateProxyRequestBody {
            name: Some(Some("newname".to_string())),
            domain: Some("a.com".to_string()),
        };
        let res = server
            .patch(&format!("/proxy_hosts/{}", ph_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let body: crate::routes::api::restricted::nginx::proxy_host::info::response::ProxyHostInfoResponse = res.json();
        assert_eq!(body.id, ph_id);
    }
    #[tokio::test]
    async fn handler_update_proxy_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateProxyRequestBody {
            name: Some(Some("newname".to_string())),
            domain: None,
        };
        let res = server
            .patch(&format!("/proxy_hosts/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_update_proxy_not_found_returns_not_found() {
        let empty_results: Vec<Vec<proxy_host::Model>> = vec![Vec::<proxy_host::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateProxyRequestBody {
            name: Some(Some("newname".to_string())),
            domain: None,
        };
        let res = server
            .patch(&format!("/proxy_hosts/{}", uuid::Uuid::new_v4()))
            .json(&payload)
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
 impl From<UpdateProxyRequestBody> for UpdateProxyHostInfo {
    fn from(val: UpdateProxyRequestBody) -> Self {
        Self {
            name: val.name,
            domain: val.domain,
            scheme: None,
            listen_port: None,
            forward_scheme: None,
            forward_host: None,
            forward_port: None,
            preserve_host_header: None,
            enable_websocket: None,
            enabled: None,
            meta: None,
            default_upstream_id: None,
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    patch,
    path = "/api/nginx/proxy_hosts/{proxy_id}",
    request_body = UpdateProxyRequestBody,
    responses(
        (status = 200, description = "Proxy updated successfully", body = ProxyHostInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
 )]
 pub async fn update_proxy(
    _request_info: AuthenticatedRequestInfo,
    Path(proxy_id): Path<uuid::Uuid>,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<UpdateProxyRequestBody>,
 ) -> AxumResult<Json<ProxyHostInfoResponse>, ApiError> {
    let svc = &state.service.nginx.get_proxy_service();
    let update: UpdateProxyHostInfo = payload.into();
    let mut tx = state.database_connection.begin().await?;
    let info = svc.update_proxy(proxy_id, update, &Some(&mut tx)).await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(info.into()))
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream.rs
@@ -0,0 +1,43 @@
 pub mod create_upstream;
 pub mod create_upstream_target;
 pub mod get_upstream;
 pub mod get_upstream_target;
 pub mod info;
 pub mod remove_upstream;
 pub mod remove_upstream_target;
 pub mod update_upstream;
 pub mod update_upstream_target;
 use std::sync::Arc;
 use axum::{
    Router,
    routing::{get, post},
 };
 use crate::routes::AppState;
 pub fn get_upstream_router(state: Arc<AppState>) -> Router {
    Router::new()
        .route(
            "/upstreams",
            get(get_upstream::get_upstream_list).post(create_upstream::create_upstream),
        )
        .route(
            "/upstreams/{upstream_id}",
            get(get_upstream::get_upstream)
                .patch(update_upstream::update_upstream)
                .delete(remove_upstream::remove_upstream),
        )
        .route(
            "/upstreams/{upstream_id}/targets",
            post(create_upstream_target::add_upstream_target),
        )
        .route(
            "/upstream_targets/{upstream_target_id}",
            get(get_upstream_target::get_upstream_target)
                .patch(update_upstream_target::update_upstream_target)
                .delete(remove_upstream_target::remove_upstream_target),
        )
        .with_state(state)
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/create_upstream.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/create_upstream.rs
@@ -0,0 +1,369 @@
 use std::sync::Arc;
 use axum::{Json, extract::State, response::Result as AxumResult};
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::upstream::info::response::UpstreamInfoResponse,
        },
    },
    services::nginx::info::upstream::UpstreamCreateInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct UpstreamTargetInfo {
    pub host: String,
    pub port: i64,
    pub weight: Option<i64>,
    pub is_backup: Option<bool>,
    pub enabled: Option<bool>,
 }
 pub struct ConcreteUpstreamTargetInfo {
    pub host: String,
    pub port: i64,
    pub weight: i64,
    pub is_backup: bool,
    pub enabled: bool,
 }
 impl From<UpstreamTargetInfo> for ConcreteUpstreamTargetInfo {
    fn from(info: UpstreamTargetInfo) -> Self {
        Self {
            host: info.host,
            port: info.port,
            weight: info.weight.unwrap_or(1),
            is_backup: info.is_backup.unwrap_or(false),
            enabled: info.enabled.unwrap_or(true),
        }
    }
 }
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateUpstreamRequestBody {
    pub name: String,
    pub protocol: String,
    pub algorithm: Option<String>,
    pub sticky_session: Option<bool>,
    pub upstream_targets: Vec<UpstreamTargetInfo>,
 }
 struct ConcreteCreateUpstreamRequestBody {
    pub name: String,
    pub protocol: String,
    pub algorithm: String,
    pub sticky_session: bool,
    pub upstream_targets: Vec<ConcreteUpstreamTargetInfo>,
 }
 impl From<CreateUpstreamRequestBody> for ConcreteCreateUpstreamRequestBody {
    fn from(payload: CreateUpstreamRequestBody) -> Self {
        Self {
            name: payload.name,
            protocol: payload.protocol,
            algorithm: payload
                .algorithm
                .unwrap_or_else(|| "round_robin".to_string()),
            sticky_session: payload.sticky_session.unwrap_or(false),
            upstream_targets: payload
                .upstream_targets
                .into_iter()
                .map(|target| target.into())
                .collect(),
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    post,
    path = "/api/nginx/upstreams",
    request_body = CreateUpstreamRequestBody,
    responses(
        (status = 200, description = "Upstream created successfully", body = UpstreamInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn create_upstream(
    request_info: AuthenticatedRequestInfo,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<CreateUpstreamRequestBody>,
 ) -> AxumResult<Json<UpstreamInfoResponse>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let concrete_payload: ConcreteCreateUpstreamRequestBody = payload.into();
    let create_info = UpstreamCreateInfo {
        name: concrete_payload.name,
        protocol: concrete_payload.protocol,
        algorithm: concrete_payload.algorithm,
        sticky_session: concrete_payload.sticky_session,
        created_by: Some(request_info.user_id),
        upstream_targets: concrete_payload
            .upstream_targets
            .into_iter()
            .map(
                |target| crate::services::nginx::info::upstream_target::UpstreamTargetCreateInfo {
                    target_host: target.host,
                    target_port: target.port,
                    weight: target.weight,
                    is_backup: target.is_backup,
                    enabled: target.enabled,
                    upstream_id: uuid::Uuid::nil(), // Placeholder, will be set in service
                },
            )
            .collect(),
    };
    let mut tx = state.database_connection.begin().await?;
    let upstream_info = upstream_service
        .create_upstream(create_info, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(upstream_info.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::upstream::{
            create_upstream::{CreateUpstreamRequestBody, UpstreamTargetInfo as ReqTarget},
            get_upstream_router,
        },
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_create_upstream_succeeds_returns_created() {
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "new_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        // service will likely perform an insert and then query to return created models
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![up_model.clone()]])
            .append_query_results(vec![vec![target_model.clone()]])
            // additional query result for regenerate_and_apply_config -> generate_config
            // `find_with_related` returns rows of `(upstream, Option<target>)` which
            // the mock DB expects as `(Model, Option<Model>)` per row.
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamRequestBody {
            name: "new_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: None,
            sticky_session: None,
            upstream_targets: vec![ReqTarget {
                host: "127.0.0.1".to_string(),
                port: 8080,
                weight: None,
                is_backup: None,
                enabled: None,
            }],
        };
        let res = server.post("/upstreams").json(&payload).await;
        res.assert_status_ok();
        let text = res.text();
        let body: crate::routes::api::restricted::nginx::upstream::info::response::UpstreamInfoResponse =
            serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.id, up_id);
        assert_eq!(body.name, "new_upstream");
        assert_eq!(body.protocol, "http");
        assert_eq!(body.upstream_targets.len(), 1);
        assert_eq!(body.upstream_targets[0].id, target_id);
    }
    #[tokio::test]
    async fn handler_create_upstream_invalid_payload_returns_bad_request() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        // missing required fields -> send empty object
        let res = server.post("/upstreams").json(&serde_json::json!({})).await;
        res.assert_status(StatusCode::UNPROCESSABLE_ENTITY);
    }
    #[tokio::test]
    async fn handler_create_upstream_agent_error_returns_internal() {
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "new_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        // configure mock agent to error on apply
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![up_model.clone()]])
            .append_query_results(vec![vec![target_model.clone()]])
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ));
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamRequestBody {
            name: "new_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: None,
            sticky_session: None,
            upstream_targets: vec![ReqTarget {
                host: "127.0.0.1".to_string(),
                port: 8080,
                weight: None,
                is_backup: None,
                enabled: None,
            }],
        };
        let res = server.post("/upstreams").json(&payload).await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
    #[tokio::test]
    async fn handler_create_upstream_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamRequestBody {
            name: "new_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: None,
            sticky_session: None,
            upstream_targets: vec![ReqTarget {
                host: "127.0.0.1".to_string(),
                port: 8080,
                weight: None,
                is_backup: None,
                enabled: None,
            }],
        };
        let res = server
            .post("/upstreams")
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/create_upstream_target.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/create_upstream_target.rs
@@ -0,0 +1,314 @@
 use std::sync::Arc;
 use axum::{Json, extract::State, response::Result as AxumResult};
 use sea_orm::TransactionTrait;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::upstream::info::response::UpstreamTargetInfoResponse,
        },
    },
    services::nginx::info::upstream_target::UpstreamTargetCreateInfo,
 };
 #[derive(serde::Deserialize, utoipa::ToSchema, serde::Serialize)]
 pub struct CreateUpstreamTargetInfo {
    pub upstream_id: uuid::Uuid,
    pub host: String,
    pub port: i64,
    pub weight: Option<i64>,
    pub is_backup: Option<bool>,
    pub enabled: Option<bool>,
 }
 pub struct ConcreteCreateUpstreamTargetInfo {
    pub upstream_id: uuid::Uuid,
    pub host: String,
    pub port: i64,
    pub weight: i64,
    pub is_backup: bool,
    pub enabled: bool,
 }
 impl From<CreateUpstreamTargetInfo> for ConcreteCreateUpstreamTargetInfo {
    fn from(info: CreateUpstreamTargetInfo) -> Self {
        Self {
            upstream_id: info.upstream_id,
            host: info.host,
            port: info.port,
            weight: info.weight.unwrap_or(1),
            is_backup: info.is_backup.unwrap_or(false),
            enabled: info.enabled.unwrap_or(true),
        }
    }
 }
 #[axum::debug_handler]
 #[utoipa::path(
    post,
    path = "/api/nginx/upstreams/{upstream_id}/targets",
    request_body = CreateUpstreamTargetInfo,
    responses(
        (status = 200, description = "Upstream target created successfully", body = UpstreamTargetInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn add_upstream_target(
    _request_info: AuthenticatedRequestInfo,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<CreateUpstreamTargetInfo>,
 ) -> AxumResult<Json<UpstreamTargetInfoResponse>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let concrete_payload: ConcreteCreateUpstreamTargetInfo = payload.into();
    let create_info = UpstreamTargetCreateInfo {
        weight: concrete_payload.weight,
        is_backup: concrete_payload.is_backup,
        enabled: concrete_payload.enabled,
        target_host: concrete_payload.host,
        target_port: concrete_payload.port,
        upstream_id: concrete_payload.upstream_id,
    };
    let mut tx = state.database_connection.begin().await?;
    let upstream_info = upstream_service
        .create_upstream_target(create_info, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(upstream_info.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::upstream::{
            create_upstream_target::CreateUpstreamTargetInfo, get_upstream_router,
        },
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_add_upstream_target_agent_error_returns_internal() {
        let up_id = uuid::Uuid::new_v4();
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = upstream::Model {
            id: up_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        // configure mock agent to return an error on apply
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![target_model.clone()]])
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ));
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamTargetInfo {
            upstream_id: up_id,
            host: "127.0.0.1".to_string(),
            port: 8080,
            weight: None,
            is_backup: None,
            enabled: None,
        };
        let res = server
            .post(&format!("/upstreams/{}/targets", up_id))
            .json(&payload)
            .await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
    #[tokio::test]
    async fn handler_add_upstream_target_succeeds_returns_created() {
        let up_id = uuid::Uuid::new_v4();
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = upstream::Model {
            id: up_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![target_model.clone()]])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamTargetInfo {
            upstream_id: up_id,
            host: "127.0.0.1".to_string(),
            port: 8080,
            weight: None,
            is_backup: None,
            enabled: None,
        };
        let res = server
            .post(&format!("/upstreams/{}/targets", up_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let text = res.text();
        let body: crate::routes::api::restricted::nginx::upstream::info::response::UpstreamTargetInfoResponse =
            serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.id, target_id);
        assert_eq!(body.host, "127.0.0.1");
        assert_eq!(body.port, 8080);
        assert_eq!(body.upstream_id, up_id);
    }
    #[tokio::test]
    async fn handler_add_upstream_target_invalid_payload_returns_bad_request() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .post(&format!("/upstreams/{}/targets", uuid::Uuid::new_v4()))
            .json(&serde_json::json!({}))
            .await;
        res.assert_status(StatusCode::UNPROCESSABLE_ENTITY);
    }
    #[tokio::test]
    async fn handler_add_upstream_target_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = CreateUpstreamTargetInfo {
            upstream_id: uuid::Uuid::new_v4(),
            host: "127.0.0.1".to_string(),
            port: 8080,
            weight: None,
            is_backup: None,
            enabled: None,
        };
        let res = server
            .post(&format!("/upstreams/{}/targets", payload.upstream_id))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/get_upstream.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/get_upstream.rs
@@ -0,0 +1,343 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, Query, State},
    response::Result as AxumResult,
 };
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::{
    errors::{api_error::ApiError, service_error::ServiceError},
    routes::{
        AppState,
        api::{
            helper::pagination::{ExtractPagination, PaginationInfo},
            openapi::tag::NGINX_TAG,
            restricted::nginx::upstream::info::response::{
                UpstreamInfoResponse, UpstreamListResponse,
            },
        },
    },
    services::nginx::upstream::GetUpstreamOptions,
 };
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct GetUpstreamParams {
    pub include_targets: Option<bool>,
 }
 pub struct ConcreteGetUpstreamParams {
    pub include_targets: bool,
 }
 impl From<GetUpstreamParams> for ConcreteGetUpstreamParams {
    fn from(params: GetUpstreamParams) -> Self {
        Self {
            include_targets: params.include_targets.unwrap_or(false),
        }
    }
 }
 #[utoipa::path(
    get,
    path = "/api/nginx/upstreams",
    responses(
        (status = 200, description = "List upstreams", body = UpstreamListResponse),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn get_upstream_list(
    ExtractPagination(pagination): ExtractPagination,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<UpstreamListResponse>, ServiceError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let (upstreams_res, upstream_count_res) = tokio::join!(
        upstream_service.get_upstreams(
            Some(pagination.clone().into()),
            Some(GetUpstreamOptions {
                include_targets: true,
                filter_by_enabled: false,
            }),
            None,
        ),
        upstream_service.get_total_upstreams(None, None),
    );
    let upstreams = upstreams_res?;
    let upstream_count = upstream_count_res?;
    //
    Ok(Json(UpstreamListResponse {
        items: upstreams.into_iter().map(|u| u.into()).collect(),
        pagination: PaginationInfo {
            total_items: upstream_count,
            total_pages: if upstream_count == 0 {
                0
            } else {
                (upstream_count as f32 / pagination.per_page as f32).ceil() as u32
            },
            current_page: pagination.page,
            per_page: pagination.per_page,
        },
    }))
 }
 #[utoipa::path(
    get,
    path = "/api/nginx/upstreams/{upstream_id}",
    responses(
        (status = 200, description = "Get upstream info", body = UpstreamInfoResponse),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn get_upstream(
    Path(upstream_id): Path<Uuid>,
    Query(params): Query<GetUpstreamParams>,
    State(_state): State<Arc<AppState>>,
 ) -> AxumResult<Json<UpstreamInfoResponse>, ApiError> {
    let concrete_params: ConcreteGetUpstreamParams = params.into();
    let upstream_service = &_state.service.nginx.get_upstream_service();
    let upstream_info = if concrete_params.include_targets {
        upstream_service
            .get_upstream(
                upstream_id,
                Some(GetUpstreamOptions {
                    include_targets: true,
                    filter_by_enabled: false,
                }),
                None,
            )
            .await?
    } else {
        upstream_service
            .get_upstream(upstream_id, None, None)
            .await?
    };
    //
    Ok(Json(upstream_info.into()))
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::{collections::BTreeMap, sync::Arc};
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, Value};
    use database::generated::entities::{upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        routes::api::restricted::nginx::upstream::{
            get_upstream_router, info::response::UpstreamInfoResponse,
        },
        services::get_app_service,
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let app_service = get_app_service(&Arc::new(db.clone()), &program_settings);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state)
    }
    #[tokio::test]
    async fn handler_get_upstream_list_returns_list() {
        let u1 = upstream::Model {
            id: uuid::Uuid::new_v4(),
            name: "u1".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let u2 = upstream::Model {
            id: uuid::Uuid::new_v4(),
            name: "u2".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![
                (u1.clone(), None::<upstream_target::Model>),
                (u2.clone(), None::<upstream_target::Model>),
            ]])
            .append_query_results(vec![vec![BTreeMap::from([(
                "count".to_string(),
                Value::BigInt(Some(2)),
            )])]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.get("/upstreams").await;
        res.assert_status_ok();
        let body = res.json::<UpstreamListResponse>();
        assert_eq!(body.items.len(), 2);
        assert_eq!(body.pagination.current_page, 1u32);
        assert_eq!(body.pagination.total_pages, 1u32);
    }
    #[tokio::test]
    async fn handler_get_upstream_with_targets_returns_targets() {
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "with_targets".to_string(),
            protocol: "http".to_string(),
            algorithm: "least_conn".to_string(),
            sticky_session: true,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            // find_by_id -> returns upstream model
            .append_query_results(vec![vec![up_model.clone()]])
            // find targets -> returns the target(s)
            .append_query_results(vec![vec![target_model.clone()]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/upstreams/{}?include_targets=true", up_id);
        let res = server.get(&url).await;
        res.assert_status_ok();
        let body = res.json::<UpstreamInfoResponse>();
        assert_eq!(body.id, up_id);
        assert_eq!(body.upstream_targets.len(), 1);
        assert_eq!(body.upstream_targets[0].target_host, "127.0.0.1");
    }
    #[tokio::test]
    async fn extractor_pagination_validation_rejects_bad_values() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .append_query_results(vec![vec![BTreeMap::from([(
                "count".to_string(),
                Value::BigInt(Some(0)),
            )])]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        // page = 0 should be rejected
        let res = server.get("/upstreams?page=0&per_page=10").await;
        res.assert_status(StatusCode::BAD_REQUEST);
        // per_page out of range should be rejected
        let res = server.get("/upstreams?page=1&per_page=0").await;
        res.assert_status(StatusCode::BAD_REQUEST);
        // valid values accepted
        let res = server.get("/upstreams?page=2&per_page=5").await;
        res.assert_status_ok();
        let body = res.json::<UpstreamListResponse>();
        assert_eq!(body.pagination.current_page, 2u32);
        assert_eq!(body.pagination.per_page, 5u32);
    }
    #[tokio::test]
    async fn handler_get_upstream_not_found_returns_service_error() {
        let up_id = uuid::Uuid::new_v4();
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/upstreams/{}?include_targets=false", up_id);
        let res = server.get(&url).await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
    #[tokio::test]
    async fn handler_get_upstream_without_targets_returns_info() {
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "simple_up".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            // find_by_id -> returns upstream model
            .append_query_results(vec![vec![up_model.clone()]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        // include_targets omitted -> should not include targets
        let url = format!("/upstreams/{}", up_id);
        let res = server.get(&url).await;
        res.assert_status_ok();
        let body = res.json::<UpstreamInfoResponse>();
        assert_eq!(body.id, up_id);
        assert!(body.upstream_targets.is_empty());
    }
    #[tokio::test]
    async fn handler_get_upstream_list_empty_returns_empty_items() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .append_query_results(vec![vec![BTreeMap::from([(
                "count".to_string(),
                Value::BigInt(Some(0)),
            )])]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.get("/upstreams?page=3&per_page=10").await;
        res.assert_status_ok();
        let body = res.json::<UpstreamListResponse>();
        assert_eq!(body.items.len(), 0);
        assert_eq!(body.pagination.current_page, 3u32);
        assert_eq!(body.pagination.per_page, 10u32);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/get_upstream_target.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/get_upstream_target.rs
@@ -0,0 +1,193 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, Query, State},
    response::Result as AxumResult,
 };
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    routes::{
        AppState,
        api::{
            openapi::tag::NGINX_TAG,
            restricted::nginx::upstream::info::response::UpstreamTargetInfo,
        },
    },
 };
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct GetUpstreamTargetsParams {
    pub include_upstream: Option<bool>,
 }
 pub struct ConcreteGetUpstreamTargetsParams {
    pub include_upstream: bool,
 }
 impl From<GetUpstreamTargetsParams> for ConcreteGetUpstreamTargetsParams {
    fn from(params: GetUpstreamTargetsParams) -> Self {
        Self {
            include_upstream: params.include_upstream.unwrap_or(false),
        }
    }
 }
 #[utoipa::path(
    get,
    path = "/api/nginx/upstream_targets/{upstream_target_id}",
    responses(
        (status = 200, description = "Get upstream target info", body = UpstreamTargetInfo),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn get_upstream_target(
    Path(upstream_target_id): Path<Uuid>,
    Query(params): Query<GetUpstreamTargetsParams>,
    State(_state): State<Arc<AppState>>,
 ) -> AxumResult<Json<UpstreamTargetInfo>, ApiError> {
    let concrete_params: ConcreteGetUpstreamTargetsParams = params.into();
    let upstream_service = &_state.service.nginx.get_upstream_service();
    let upstream_target_info = upstream_service
        .get_upstream_target(
            upstream_target_id,
            if concrete_params.include_upstream {
                Some(crate::services::nginx::upstream::GetUpstreamTargetOptions {
                    include_upstream: true,
                })
            } else {
                None
            },
            None,
        )
        .await?;
    Ok(Json(upstream_target_info.into()))
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase};
    use database::generated::entities::{upstream, upstream_target};
    use crate::configs::{FromConfig, ProgramSettings};
    use crate::routes::api::restricted::nginx::upstream::get_upstream_router;
    use crate::services::get_app_service;
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let app_service = get_app_service(&Arc::new(db.clone()), &program_settings);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state)
    }
    #[tokio::test]
    async fn handler_get_upstream_target_with_upstream_returns_upstream() {
        let up_id = uuid::Uuid::new_v4();
        let up_model = upstream::Model {
            id: up_id,
            name: "with_targets".to_string(),
            protocol: "http".to_string(),
            algorithm: "least_conn".to_string(),
            sticky_session: true,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            // query returns joined (upstream_target, upstream)
            .append_query_results(vec![vec![(target_model.clone(), Some(up_model.clone()))]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/upstream_targets/{}?include_upstream=true", target_id);
        let res = server.get(&url).await;
        res.assert_status_ok();
        let text = res.text();
        let body: UpstreamTargetInfo = serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.upstream_id, up_id);
        assert!(body.upstream.is_some());
        let upstream = body.upstream.expect("upstream to be present");
        assert_eq!(upstream.id, up_id);
        assert_eq!(upstream.name, "with_targets");
    }
    #[tokio::test]
    async fn handler_get_upstream_target_without_upstream_returns_info() {
        let target_id = uuid::Uuid::new_v4();
        let target_model = upstream_target::Model {
            id: target_id,
            upstream_id: uuid::Uuid::new_v4(),
            target_host: "10.0.0.1".to_string(),
            target_port: 9090,
            weight: 5,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![target_model.clone()]])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/upstream_targets/{}", target_id);
        let res = server.get(&url).await;
        res.assert_status_ok();
        let text = res.text();
        let body: UpstreamTargetInfo = serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.id, target_id);
        assert!(body.upstream.is_none());
    }
    #[tokio::test]
    async fn handler_get_upstream_target_not_found_returns_service_error() {
        let target_id = uuid::Uuid::new_v4();
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let url = format!("/upstream_targets/{}?include_upstream=false", target_id);
        let res = server.get(&url).await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/info.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/info.rs
@@ -0,0 +1 @@
 pub mod response;
--- a/apps/api/src/routes/api/restricted/nginx/upstream/info/response.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/info/response.rs
@@ -0,0 +1,232 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::routes::api::helper::pagination::PaginationInfo;
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamTargetInfo {
    pub id: uuid::Uuid,
    pub target_host: String,
    pub target_port: i64,
    pub enabled: bool,
    pub is_backup: bool,
    pub weight: i32,
    //
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    //
    pub upstream_id: Uuid,
    pub upstream: Option<UpstreamBasicInfo>,
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamBasicInfo {
    pub id: Uuid,
    pub name: String,
    pub protocol: String,
    //
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
 }
 impl From<crate::services::nginx::info::upstream_target::UpstreamTargetInfo>
    for UpstreamTargetInfo
 {
    fn from(info: crate::services::nginx::info::upstream_target::UpstreamTargetInfo) -> Self {
        Self {
            id: info.id,
            target_host: info.target_host,
            target_port: info.target_port,
            enabled: info.enabled,
            is_backup: info.is_backup,
            weight: info.weight as i32,
            //
            created_at: info.created_at,
            updated_at: info.updated_at,
            //
            upstream_id: info.upstream_id,
            upstream: info.upstream.map(|u| UpstreamBasicInfo {
                id: u.id,
                name: u.name,
                protocol: u.protocol,
                created_at: u.created_at,
                updated_at: u.updated_at,
            }),
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamTargetBasicInfo {
    pub id: uuid::Uuid,
    pub target_host: String,
    pub target_port: i64,
    pub enabled: bool,
    pub is_backup: bool,
    pub weight: i32,
    //
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
 }
 impl From<crate::services::nginx::info::upstream_target::UpstreamTargetInfo>
    for UpstreamTargetBasicInfo
 {
    fn from(info: crate::services::nginx::info::upstream_target::UpstreamTargetInfo) -> Self {
        Self {
            id: info.id,
            target_host: info.target_host,
            target_port: info.target_port,
            enabled: info.enabled,
            is_backup: info.is_backup,
            weight: info.weight as i32,
            //
            created_at: info.created_at,
            updated_at: info.updated_at,
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamInfoResponse {
    pub id: uuid::Uuid,
    pub name: String,
    pub protocol: String,
    pub algorithm: String,
    pub sticky_session: bool,
    pub created_by: Option<uuid::Uuid>,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    //
    pub upstream_targets: Vec<UpstreamTargetBasicInfo>,
 }
 impl From<crate::services::nginx::info::upstream::UpstreamInfo> for UpstreamInfoResponse {
    fn from(info: crate::services::nginx::info::upstream::UpstreamInfo) -> Self {
        Self {
            id: info.id,
            name: info.name,
            protocol: info.protocol,
            algorithm: info.algorithm,
            sticky_session: info.sticky_session,
            created_by: info.created_by,
            created_at: info.created_at,
            updated_at: info.updated_at,
            upstream_targets: info
                .upstream_targets
                .into_iter()
                .map(|t| t.into())
                .collect(),
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamListResponse {
    pub items: Vec<UpstreamInfoResponse>,
    pub pagination: PaginationInfo,
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpstreamTargetInfoResponse {
    pub id: uuid::Uuid,
    pub host: String,
    pub port: i64,
    pub enabled: bool,
    pub is_backup: bool,
    pub weight: i32,
    //
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    //
    pub upstream_id: Uuid,
 }
 impl From<crate::services::nginx::info::upstream_target::UpstreamTargetInfo>
    for UpstreamTargetInfoResponse
 {
    fn from(info: crate::services::nginx::info::upstream_target::UpstreamTargetInfo) -> Self {
        Self {
            id: info.id,
            host: info.target_host,
            port: info.target_port,
            enabled: info.enabled,
            is_backup: info.is_backup,
            weight: info.weight as i32,
            //
            created_at: info.created_at,
            updated_at: info.updated_at,
            //
            upstream_id: info.upstream_id,
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpdateUpstreamInfoResponse {
    pub id: uuid::Uuid,
    pub name: String,
    pub protocol: String,
    pub algorithm: String,
    pub sticky_session: bool,
    pub created_by: Option<uuid::Uuid>,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    //
    pub upstream_targets: Vec<UpstreamTargetBasicInfo>,
 }
 impl From<crate::services::nginx::info::upstream::UpstreamInfo> for UpdateUpstreamInfoResponse {
    fn from(info: crate::services::nginx::info::upstream::UpstreamInfo) -> Self {
        Self {
            id: info.id,
            name: info.name,
            protocol: info.protocol,
            algorithm: info.algorithm,
            sticky_session: info.sticky_session,
            created_by: info.created_by,
            created_at: info.created_at,
            updated_at: info.updated_at,
            upstream_targets: info
                .upstream_targets
                .into_iter()
                .map(|t| t.into())
                .collect(),
        }
    }
 }
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UpdateUpstreamTargetInfoResponse {
    pub id: uuid::Uuid,
    pub host: String,
    pub port: i64,
    pub enabled: bool,
    pub is_backup: bool,
    pub weight: i32,
    //
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    //
    pub upstream_id: Uuid,
 }
 impl From<crate::services::nginx::info::upstream_target::UpstreamTargetInfo>
    for UpdateUpstreamTargetInfoResponse
 {
    fn from(info: crate::services::nginx::info::upstream_target::UpstreamTargetInfo) -> Self {
        Self {
            id: info.id,
            host: info.target_host,
            port: info.target_port,
            enabled: info.enabled,
            is_backup: info.is_backup,
            weight: info.weight as i32,
            //
            created_at: info.created_at,
            updated_at: info.updated_at,
            upstream_id: info.upstream_id,
        }
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/remove_upstream.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/remove_upstream.rs
@@ -0,0 +1,240 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::openapi::tag::NGINX_TAG},
 };
 #[utoipa::path(
    delete,
    path = "/api/nginx/upstreams/{upstream_id}",
    responses(
        (status = 200, description = "Upstream removed successfully", body = ()),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn remove_upstream(
    _request_info: AuthenticatedRequestInfo,
    Path(upstream_id): Path<Uuid>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<()>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let mut tx = state.database_connection.begin().await?;
    upstream_service
        .delete_upstream(upstream_id, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockExecResult, MockRow};
    use database::generated::entities::{upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::upstream::get_upstream_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_remove_upstream_succeeds_returns_ok() {
        let up_id = uuid::Uuid::new_v4();
        let existing = upstream::Model {
            id: up_id,
            name: "todelete".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![existing.clone()]])
            .append_exec_results(vec![
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
            ])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(existing.clone(), Some(target_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/upstreams/{}", up_id)).await;
        res.assert_status_ok();
    }
    #[tokio::test]
    async fn handler_remove_upstream_agent_error_returns_internal() {
        let up_id = uuid::Uuid::new_v4();
        let existing = upstream::Model {
            id: up_id,
            name: "todelete".to_string(),
            protocol: "http".to_string(),
            algorithm: "rr".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let target_model = upstream_target::Model {
            id: uuid::Uuid::new_v4(),
            upstream_id: up_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![existing.clone()]])
            .append_exec_results(vec![
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
                MockExecResult {
                    rows_affected: 1,
                    last_insert_id: 0,
                },
            ])
            .append_query_results(vec![vec![(existing.clone(), Some(target_model.clone()))]])
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ));
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/upstreams/{}", up_id)).await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
    #[tokio::test]
    async fn handler_remove_upstream_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/upstreams/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_remove_upstream_not_found_returns_not_found() {
        let empty_results: Vec<Vec<upstream::Model>> = vec![Vec::<upstream::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/upstreams/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/remove_upstream_target.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/remove_upstream_target.rs
@@ -0,0 +1,232 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::openapi::tag::NGINX_TAG},
 };
 #[utoipa::path(
    delete,
    path = "/api/nginx/upstream_targets/{upstream_target_id}",
    responses(
        (status = 200, description = "Upstream target removed successfully", body = ()),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn remove_upstream_target(
    _request_info: AuthenticatedRequestInfo,
    Path(upstream_target_id): Path<Uuid>,
    State(state): State<Arc<AppState>>,
 ) -> AxumResult<Json<()>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let mut tx = state.database_connection.begin().await?;
    upstream_service
        .delete_upstream_target(upstream_target_id, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockExecResult, MockRow};
    use database::generated::entities::{upstream, upstream_target};
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::upstream::get_upstream_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_remove_upstream_target_succeeds_returns_ok() {
        let ut_id = uuid::Uuid::new_v4();
        let current_model = upstream_target::Model {
            id: ut_id,
            upstream_id: uuid::Uuid::new_v4(),
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        // first find_by_id, then delete (delete typically doesn't return models)
        let up_model = upstream::Model {
            id: current_model.upstream_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let dummy_row: Vec<MockRow> = vec![];
        let first: Vec<Vec<upstream_target::Model>> = vec![vec![current_model.clone()]];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_exec_results(vec![MockExecResult {
                rows_affected: 1,
                last_insert_id: 0,
            }])
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(up_model.clone(), Some(current_model.clone()))]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/upstream_targets/{}", ut_id)).await;
        res.assert_status_ok();
    }
    #[tokio::test]
    async fn handler_remove_upstream_target_agent_error_returns_internal() {
        let ut_id = uuid::Uuid::new_v4();
        let current_model = upstream_target::Model {
            id: ut_id,
            upstream_id: uuid::Uuid::new_v4(),
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = upstream::Model {
            id: current_model.upstream_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let first: Vec<Vec<upstream_target::Model>> = vec![vec![current_model.clone()]];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_exec_results(vec![MockExecResult {
                rows_affected: 1,
                last_insert_id: 0,
            }])
            .append_query_results(vec![vec![(up_model.clone(), Some(current_model.clone()))]])
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ));
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server.delete(&format!("/upstream_targets/{}", ut_id)).await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
    #[tokio::test]
    async fn handler_remove_upstream_target_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/upstream_targets/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_remove_upstream_target_not_found_returns_not_found() {
        let empty_results: Vec<Vec<upstream_target::Model>> =
            vec![Vec::<upstream_target::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let res = server
            .delete(&format!("/upstream_targets/{}", uuid::Uuid::new_v4()))
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/update_upstream.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/update_upstream.rs
@@ -0,0 +1,320 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState, api::openapi::tag::NGINX_TAG,
        api::restricted::nginx::upstream::info::response::UpdateUpstreamInfoResponse,
    },
    services::nginx::info::upstream::UpdateUpstreamInfo,
 };
 #[derive(Deserialize, utoipa::ToSchema, Serialize)]
 pub struct UpstreamTargetBasicUpdateInfo {
    pub id: i64,
    pub enabled: bool,
 }
 #[derive(Deserialize, utoipa::ToSchema, Serialize)]
 pub struct UpdateUpstreamRequestBody {
    pub name: Option<String>,
    pub protocol: Option<String>,
    pub algorithm: Option<String>,
    pub sticky_session: Option<bool>,
    // only updates upstream targets' enabled status for now
    pub upstream_targets: Option<Vec<UpstreamTargetBasicUpdateInfo>>,
 }
 impl From<UpdateUpstreamRequestBody> for UpdateUpstreamInfo {
    fn from(val: UpdateUpstreamRequestBody) -> Self {
        Self {
            name: val.name,
            protocol: val.protocol,
            algorithm: val.algorithm,
            sticky_session: val.sticky_session,
            //
            upstream_targets: None,
        }
    }
 }
 #[utoipa::path(
    patch,
    path = "/api/nginx/upstreams/{upstream_id}",
    request_body = UpdateUpstreamRequestBody,
    responses(
        (status = 200, description = "Upstream updated successfully", body = UpdateUpstreamInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn update_upstream(
    _request_info: AuthenticatedRequestInfo,
    Path(upstream_id): Path<Uuid>,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<UpdateUpstreamRequestBody>,
 ) -> AxumResult<Json<UpdateUpstreamInfoResponse>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let update_info: UpdateUpstreamInfo = payload.into();
    let mut tx = state.database_connection.begin().await?;
    let r = upstream_service
        .update_upstream(upstream_id, update_info, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(r.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase, MockRow};
    use database::generated::entities::{upstream, upstream_target};
    use super::UpdateUpstreamRequestBody;
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        routes::api::restricted::nginx::upstream::get_upstream_router,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ))
    }
    #[tokio::test]
    async fn handler_update_upstream_succeeds_returns_ok() {
        let up_id = uuid::Uuid::new_v4();
        let current_model = upstream::Model {
            id: up_id,
            name: "old_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated_model = upstream::Model {
            id: up_id,
            name: "updated_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        // first find_by_id, then update returns updated model
        let up_model = current_model.clone();
        let first: Vec<Vec<upstream::Model>> = vec![vec![current_model.clone()]];
        let second: Vec<Vec<upstream::Model>> = vec![vec![updated_model.clone()]];
        let dummy_row: Vec<MockRow> = vec![];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            // additional query result for regenerate_and_apply_config -> generate_config
            .append_query_results(vec![vec![(
                up_model.clone(),
                Option::<upstream_target::Model>::None,
            )]])
            .append_query_results(vec![dummy_row])
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamRequestBody {
            name: Some("updated_upstream".to_string()),
            protocol: None,
            algorithm: None,
            sticky_session: None,
            upstream_targets: None,
        };
        let res = server
            .patch(&format!("/upstreams/{}", up_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let text = res.text();
        let body: crate::routes::api::restricted::nginx::upstream::info::response::UpdateUpstreamInfoResponse =
            serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.id, up_id);
        assert_eq!(body.name, "updated_upstream");
    }
    #[tokio::test]
    async fn handler_update_upstream_agent_error_returns_internal() {
        let up_id = uuid::Uuid::new_v4();
        let current_model = upstream::Model {
            id: up_id,
            name: "old_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated_model = upstream::Model {
            id: up_id,
            name: "updated_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: Some(uuid::Uuid::new_v4()),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = current_model.clone();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let first: Vec<Vec<upstream::Model>> = vec![vec![current_model.clone()]];
        let second: Vec<Vec<upstream::Model>> = vec![vec![updated_model.clone()]];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            .append_query_results(vec![vec![(
                up_model.clone(),
                Option::<upstream_target::Model>::None,
            )]])
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = get_upstream_router(state).layer(axum::middleware::from_fn(
            crate::middlewares::require_auth::mock::mock_require_auth,
        ));
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamRequestBody {
            name: Some("updated_upstream".to_string()),
            protocol: None,
            algorithm: None,
            sticky_session: None,
            upstream_targets: None,
        };
        let res = server
            .patch(&format!("/upstreams/{}", up_id))
            .json(&payload)
            .await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
    #[tokio::test]
    async fn handler_update_upstream_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamRequestBody {
            name: Some("updated_upstream".to_string()),
            protocol: None,
            algorithm: None,
            sticky_session: None,
            upstream_targets: None,
        };
        let res = server
            .patch(&format!("/upstreams/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_update_upstream_not_found_returns_not_found() {
        let empty_results: Vec<Vec<upstream::Model>> = vec![Vec::<upstream::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamRequestBody {
            name: Some("updated_upstream".to_string()),
            protocol: None,
            algorithm: None,
            sticky_session: None,
            upstream_targets: None,
        };
        let res = server
            .patch(&format!("/upstreams/{}", uuid::Uuid::new_v4()))
            .json(&payload)
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
 }
--- a/apps/api/src/routes/api/restricted/nginx/upstream/update_upstream_target.rs
+++ b/apps/api/src/routes/api/restricted/nginx/upstream/update_upstream_target.rs
@@ -0,0 +1,351 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::{Path, State},
    response::Result as AxumResult,
 };
 use sea_orm::TransactionTrait;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 use crate::{
    errors::api_error::ApiError,
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{
        AppState, api::openapi::tag::NGINX_TAG,
        api::restricted::nginx::upstream::info::response::UpdateUpstreamTargetInfoResponse,
    },
    services::nginx::info::upstream_target::UpdateUpstreamTargetInfo,
 };
 #[derive(Deserialize, utoipa::ToSchema, Serialize)]
 pub struct UpdateUpstreamTargetRequestBody {
    pub host: Option<String>,
    pub port: Option<i64>,
    pub enabled: Option<bool>,
    pub is_backup: Option<bool>,
    pub weight: Option<i32>,
 }
 impl From<UpdateUpstreamTargetRequestBody> for UpdateUpstreamTargetInfo {
    fn from(val: UpdateUpstreamTargetRequestBody) -> Self {
        Self {
            target_host: val.host,
            target_port: val.port,
            enabled: val.enabled,
            is_backup: val.is_backup,
            weight: val.weight.map(|w| w as i64),
        }
    }
 }
 #[utoipa::path(
    patch,
    path = "/api/nginx/upstream_targets/{upstream_target_id}",
    request_body = UpdateUpstreamTargetRequestBody,
    responses(
        (status = 200, description = "Upstream target updated successfully", body = UpdateUpstreamTargetInfoResponse),
        (status = 401, description = "Unauthorized"),
        (status = 404, description = "Not found"),
        (status = 422, description = "Invalid request"),
        (status = 500, description = "Internal server error"),
    ),
    tag = NGINX_TAG,
 )]
 pub async fn update_upstream_target(
    _request_info: AuthenticatedRequestInfo,
    Path(upstream_target_id): Path<Uuid>,
    State(state): State<Arc<AppState>>,
    Json(payload): Json<UpdateUpstreamTargetRequestBody>,
 ) -> AxumResult<Json<UpdateUpstreamTargetInfoResponse>, ApiError> {
    let upstream_service = &state.service.nginx.get_upstream_service();
    let update_info: UpdateUpstreamTargetInfo = payload.into();
    let mut tx = state.database_connection.begin().await?;
    let r = upstream_service
        .update_upstream_target(upstream_target_id, update_info, Some(&mut tx))
        .await?;
    state
        .service
        .nginx
        .regenerate_and_apply_config(state.service.agent_client.clone(), &Some(&mut tx))
        .await?;
    tx.commit().await?;
    Ok(Json(r.into()))
 }
 #[cfg(test)]
 mod tests {
    use std::sync::Arc;
    use axum::http::StatusCode;
    use axum::routing::patch;
    use axum_test::TestServer;
    use sea_orm::{DatabaseBackend, DatabaseConnection, MockDatabase};
    use database::generated::entities::{upstream, upstream_target};
    use super::UpdateUpstreamTargetRequestBody;
    use crate::{
        configs::{FromConfig, ProgramSettings},
        middlewares::require_auth::mock::REQUEST_AUTH_USER_INVALID_HEADER,
        services::{agent_client::MockAgentService, get_mock_app_service},
    };
    fn get_router_with_state(db: DatabaseConnection) -> axum::Router {
        let program_settings = ProgramSettings::mock();
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| Ok(()));
        let mock_agent = Arc::new(mock);
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        axum::Router::new()
            .route(
                "/upstream_targets/{upstream_target_id}",
                patch(crate::routes::api::restricted::nginx::upstream::update_upstream_target::update_upstream_target),
            )
            .with_state(state)
            .layer(axum::middleware::from_fn(
                crate::middlewares::require_auth::mock::mock_require_auth,
            ))
    }
    #[tokio::test]
    async fn handler_update_upstream_target_succeeds_returns_ok() {
        let target_id = uuid::Uuid::new_v4();
        let current_model = upstream_target::Model {
            id: target_id,
            upstream_id: uuid::Uuid::new_v4(),
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated_model = upstream_target::Model {
            id: target_id,
            upstream_id: current_model.upstream_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8081,
            weight: 2,
            is_backup: false,
            enabled: false,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = upstream::Model {
            id: current_model.upstream_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let first: Vec<Vec<upstream_target::Model>> = vec![vec![current_model.clone()]];
        let second: Vec<Vec<upstream_target::Model>> = vec![vec![updated_model.clone()]];
        // additional query result for regenerate_and_apply_config -> generate_config
        let third: Vec<Vec<(upstream::Model, Option<upstream_target::Model>)>> =
            vec![vec![(up_model.clone(), Some(updated_model.clone()))]];
        // placeholder for other queries called by regenerate_and_apply_config
        let fourth: Vec<Vec<upstream::Model>> = vec![vec![]];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            .append_query_results(third)
            .append_query_results(fourth)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamTargetRequestBody {
            host: None,
            port: Some(8081),
            enabled: Some(false),
            is_backup: None,
            weight: Some(2),
        };
        let res = server
            .patch(&format!("/upstream_targets/{}", target_id))
            .json(&payload)
            .await;
        res.assert_status_ok();
        let text = res.text();
        let body: crate::routes::api::restricted::nginx::upstream::info::response::UpdateUpstreamTargetInfoResponse =
            serde_json::from_str(&text).expect("failed to parse json");
        assert_eq!(body.id, target_id);
        assert_eq!(body.port, 8081);
        assert!(!body.enabled);
    }
    #[tokio::test]
    async fn handler_update_upstream_target_unauthenticated_returns_unauthorized() {
        let db = MockDatabase::new(DatabaseBackend::Sqlite).into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamTargetRequestBody {
            host: None,
            port: Some(8081),
            enabled: Some(false),
            is_backup: None,
            weight: Some(2),
        };
        let res = server
            .patch(&format!("/upstream_targets/{}", uuid::Uuid::new_v4()))
            .add_header(REQUEST_AUTH_USER_INVALID_HEADER, "true")
            .json(&payload)
            .await;
        res.assert_status(StatusCode::UNAUTHORIZED);
    }
    #[tokio::test]
    async fn handler_update_upstream_target_not_found_returns_not_found() {
        let empty_results: Vec<Vec<upstream_target::Model>> =
            vec![Vec::<upstream_target::Model>::new()];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(empty_results)
            .into_connection();
        let router = get_router_with_state(db.clone());
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamTargetRequestBody {
            host: None,
            port: Some(8081),
            enabled: Some(false),
            is_backup: None,
            weight: Some(2),
        };
        let res = server
            .patch(&format!("/upstream_targets/{}", uuid::Uuid::new_v4()))
            .json(&payload)
            .await;
        res.assert_status(StatusCode::NOT_FOUND);
    }
    #[tokio::test]
    async fn handler_update_upstream_target_agent_error_returns_internal() {
        let target_id = uuid::Uuid::new_v4();
        let current_model = upstream_target::Model {
            id: target_id,
            upstream_id: uuid::Uuid::new_v4(),
            target_host: "127.0.0.1".to_string(),
            target_port: 8080,
            weight: 1,
            is_backup: false,
            enabled: true,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let updated_model = upstream_target::Model {
            id: target_id,
            upstream_id: current_model.upstream_id,
            target_host: "127.0.0.1".to_string(),
            target_port: 8081,
            weight: 2,
            is_backup: false,
            enabled: false,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let up_model = upstream::Model {
            id: current_model.upstream_id,
            name: "test_upstream".to_string(),
            protocol: "http".to_string(),
            algorithm: "round_robin".to_string(),
            sticky_session: false,
            created_by: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
        };
        let mut mock = MockAgentService::new();
        mock.expect_validate().returning(|_cfg| Ok(()));
        mock.expect_apply().returning(|_cfg| {
            Err(
                crate::services::agent_client::AgentError::ApplicationFailed(
                    "internal".to_string(),
                    "Failed to communicate with the agent.".to_string(),
                ),
            )
        });
        let mock_agent = Arc::new(mock);
        let first: Vec<Vec<upstream_target::Model>> = vec![vec![current_model.clone()]];
        let second: Vec<Vec<upstream_target::Model>> = vec![vec![updated_model.clone()]];
        let third: Vec<Vec<(upstream::Model, Option<upstream_target::Model>)>> =
            vec![vec![(up_model.clone(), Some(updated_model.clone()))]];
        let db = MockDatabase::new(DatabaseBackend::Sqlite)
            .append_query_results(first)
            .append_query_results(second)
            .append_query_results(third)
            .into_connection();
        let program_settings = ProgramSettings::mock();
        let app_service =
            get_mock_app_service(&Arc::new(db.clone()), &program_settings, mock_agent);
        let state = Arc::new(crate::routes::AppState {
            database_connection: Arc::new(db),
            service: Arc::new(app_service),
            config: Arc::new(program_settings),
        });
        let router = axum::Router::new()
            .route(
                "/upstream_targets/{upstream_target_id}",
                axum::routing::patch(crate::routes::api::restricted::nginx::upstream::update_upstream_target::update_upstream_target),
            )
            .with_state(state)
            .layer(axum::middleware::from_fn(
                crate::middlewares::require_auth::mock::mock_require_auth,
            ));
        let server = TestServer::new(router).expect("failed to create test server");
        let payload = UpdateUpstreamTargetRequestBody {
            host: None,
            port: Some(8081),
            enabled: Some(false),
            is_backup: None,
            weight: Some(2),
        };
        let res = server
            .patch(&format!("/upstream_targets/{}", target_id))
            .json(&payload)
            .await;
        res.assert_status(axum::http::StatusCode::INTERNAL_SERVER_ERROR);
    }
 }
--- a/apps/api/src/routes/api/restricted/user.rs
+++ b/apps/api/src/routes/api/restricted/user.rs
@@ -0,0 +1,13 @@
 pub mod me;
 use std::sync::Arc;
 use axum::Router;
 use crate::routes::AppState;
 pub fn get_user_router(state: Arc<AppState>) -> Router {
    Router::new()
        .route("/me", axum::routing::get(me::get_user_info))
        .with_state(state)
 }
--- a/apps/api/src/routes/api/restricted/user/me.rs
+++ b/apps/api/src/routes/api/restricted/user/me.rs
@@ -0,0 +1,58 @@
 use std::sync::Arc;
 use axum::{
    Json,
    extract::State,
    http::StatusCode,
    response::{IntoResponse, Response},
 };
 use serde::{Deserialize, Serialize};
 use tracing::error;
 use crate::{
    middlewares::request_info::AuthenticatedRequestInfo,
    routes::{AppState, api::openapi::tag::USER_TAG},
 };
 /// System health information
 #[derive(Serialize, Deserialize, utoipa::ToSchema)]
 pub struct UserInfo {
    /// User ID
    pub id: uuid::Uuid,
    /// Username
    pub username: String,
 }
 /// Get current user information
 ///
 /// Returns the information of the currently authenticated user.
 #[utoipa::path(
        get,
        path = "/api/user/me",
        responses(
            (status = 200, description = "User information retrieved successfully", body = UserInfo),
            (status = 401, description = "Unauthorized"),
            (status = 500, description = "Internal server error"),
        ),
        tag = USER_TAG,
    )]
 pub async fn get_user_info(
    State(app_state): State<Arc<AppState>>,
    request_info: AuthenticatedRequestInfo,
 ) -> Response {
    let user_id = request_info.user_id;
    match app_state.service.user.get_user_by_id(user_id, None).await {
        Ok(user) => {
            let user_info = UserInfo {
                id: user.id,
                username: user.username,
            };
            (StatusCode::OK, Json(user_info)).into_response()
        }
        Err(err) => {
            error!("Error fetching user info: {}", err);
            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
        }
    }
 }
--- a/apps/api/src/services.rs
+++ b/apps/api/src/services.rs
@@ -1 +1,85 @@
 pub mod agent_client;
 pub mod auth;
 pub mod nginx;
 pub mod server_state;
 pub mod settings;
 use std::sync::Arc;
 use ::agent_client::apis::configuration::Configuration;
 #[cfg(test)]
 use crate::services::agent_client::MockAgentService;
 use crate::{
    configs::ProgramSettings,
    routes::{self, AuthState},
    services::{
        agent_client::{AgentService, AgentServiceImpl},
        auth::{
            authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
            user::{UserService, UserServiceImpl},
        },
        nginx::NginxService,
        server_state::{ServerStateService, ServerStateStore},
        settings::{SettingsService, SettingsStore},
    },
 };
 pub type ServiceState<T> = Arc<T>;
 pub struct AppService {
    pub settings: ServiceState<dyn SettingsStore>,
    pub auth_state: AuthState,
    pub user: ServiceState<dyn UserService>,
    pub server_state: ServiceState<dyn ServerStateStore>,
    #[allow(dead_code)]
    pub nginx: ServiceState<NginxService>,
    #[allow(dead_code)]
    pub agent_client: ServiceState<dyn AgentService>,
 }
 pub fn get_app_service(
    db_connection: &Arc<sea_orm::DatabaseConnection>,
    settings: &ProgramSettings,
 ) -> AppService {
    AppService {
        server_state: Arc::new(ServerStateService::new(db_connection.clone())),
        settings: Arc::new(SettingsService::new(db_connection.clone())),
        auth_state: routes::AuthState {
            strategy: routes::AuthStrategy {
                password: Arc::new(PasswordStrategy::new(db_connection.clone())),
            },
            authentication: Arc::new(AuthenticationServiceImpl::new(
                settings.auth.jwt_secret.clone(),
            )),
        },
        user: Arc::new(UserServiceImpl::new(db_connection.clone())),
        nginx: Arc::new(NginxService::new(db_connection.clone())),
        agent_client: Arc::new(AgentServiceImpl::new(Configuration::from(
            settings.agent.clone(),
        ))),
    }
 }
 #[cfg(test)]
 pub fn get_mock_app_service(
    db_connection: &Arc<sea_orm::DatabaseConnection>,
    settings: &ProgramSettings,
    mock_agent: Arc<MockAgentService>,
 ) -> AppService {
    AppService {
        server_state: Arc::new(ServerStateService::new(db_connection.clone())),
        settings: Arc::new(SettingsService::new(db_connection.clone())),
        auth_state: routes::AuthState {
            strategy: routes::AuthStrategy {
                password: Arc::new(PasswordStrategy::new(db_connection.clone())),
            },
            authentication: Arc::new(AuthenticationServiceImpl::new(
                settings.auth.jwt_secret.clone(),
            )),
        },
        user: Arc::new(UserServiceImpl::new(db_connection.clone())),
        nginx: Arc::new(NginxService::new(db_connection.clone())),
        agent_client: mock_agent,
    }
 }
--- a/apps/api/src/services/agent_client.rs
+++ b/apps/api/src/services/agent_client.rs
@@ -0,0 +1,263 @@
 use std::{os::unix::fs::FileTypeExt, sync::Arc};
 use agent_client::{
    apis::{
        Api, ApiClient, Error as ApiError, ResponseContent,
        configuration::Configuration,
        nginx_agent_api::{ValidateAndReloadParams, ValidateParams, WriteConfigParams},
    },
    models::{ValidateAndReloadBody, ValidateBody, WriteConfigBody},
 };
 use tracing::{error, warn};
 use crate::{configs::agent::AgentSettings, errors::service_error::ServiceError};
 #[derive(Debug)]
 pub enum AgentError {
    // (internal messages, user-facing messages)
    #[allow(dead_code)]
    ValidationFailed(String, String),
    // (internal messages, user-facing messages)
    ApplicationFailed(String, String),
 }
 impl From<AgentError> for ServiceError {
    fn from(err: AgentError) -> Self {
        error!("Agent error occurred: {:?}", err);
        match err {
            AgentError::ValidationFailed(_internal, user) => ServiceError::InternalError(user),
            AgentError::ApplicationFailed(_internal, user) => ServiceError::InternalError(user),
        }
    }
 }
 impl<T: std::fmt::Debug> From<ResponseContent<T>> for AgentError {
    fn from(err: ResponseContent<T>) -> Self {
        let ResponseContent {
            status,
            content,
            entity,
        } = err;
        {
            let entity_str = entity
                .map(|e| format!("{:?}", e))
                .unwrap_or_else(|| "<empty>".to_string());
            AgentError::ApplicationFailed(
                format!(
                    "Agent responded with error status {}: {}, entity: {}",
                    status, content, entity_str
                ),
                "Agent reported an error during operation.".to_string(),
            )
        }
    }
 }
 impl<T: std::fmt::Debug> From<ApiError<T>> for AgentError {
    fn from(err: ApiError<T>) -> Self {
        match err {
            ApiError::ResponseError(resp) => AgentError::from(resp),
            ApiError::Io(err) => AgentError::ApplicationFailed(
                format!("IO error during agent communication: {}", err),
                "Failed to communicate with the agent.".to_string(),
            ),
            ApiError::Reqwest(err) => AgentError::ApplicationFailed(
                format!("Reqwest error during agent communication: {}", err),
                "Failed to communicate with the agent.".to_string(),
            ),
            ApiError::Serde(err) => AgentError::ApplicationFailed(
                format!("Serialization error during agent communication: {}", err),
                "Failed to communicate with the agent.".to_string(),
            ),
        }
    }
 }
 #[cfg_attr(test, mockall::automock)]
 #[async_trait::async_trait]
 pub trait AgentService: Send + Sync {
    #[allow(dead_code)]
    fn get_client(&self) -> Arc<ApiClient>;
    // TODO: improve error handling and reporting, error reasons
    // validate configurations that has been created/updated before the given timestamp
    #[allow(dead_code)]
    async fn validate(&self, config: &str) -> Result<(), AgentError>;
    // validate and apply configurations that has been created/updated before the given timestamp
    async fn apply(&self, config: &str) -> Result<(), AgentError>;
 }
 pub struct AgentServiceImpl {
    client: Arc<ApiClient>,
 }
 impl AgentServiceImpl {
    pub fn new(config: impl Into<Arc<Configuration>>) -> Self {
        let client = ApiClient::new(config.into());
        AgentServiceImpl {
            client: Arc::new(client),
        }
    }
 }
 impl From<AgentSettings> for Configuration {
    fn from(settings: AgentSettings) -> Self {
        let mut config = Configuration::default();
        let mut builder = reqwest::Client::builder();
        let url = settings.socket_path;
        // check if the url is a unix socket path
        let is_socket = std::fs::metadata(&url).is_ok_and(|m| m.file_type().is_socket());
        if is_socket || url.starts_with("unix://") {
            builder = builder.unix_socket(url.to_string());
            config.client = builder.build().expect("Failed to build reqwest client");
        } else {
            warn!("AgentSettings contains a non-unix socket path: {}", url);
            config.base_path = url;
        }
        config
    }
 }
 #[async_trait::async_trait]
 impl AgentService for AgentServiceImpl {
    fn get_client(&self) -> Arc<ApiClient> {
        Arc::clone(&self.client)
    }
    async fn validate(&self, config: &str) -> Result<(), AgentError> {
        let timestamp = chrono::Utc::now().timestamp_millis();
        let name = Self::get_config_name(true);
        self._validate(&name, timestamp, config).await
    }
    async fn apply(&self, config: &str) -> Result<(), AgentError> {
        let timestamp = chrono::Utc::now().timestamp_millis();
        let name = Self::get_config_name(false);
        self._validate(&name, timestamp, config).await?;
        self._apply(&name, timestamp).await
    }
 }
 impl AgentServiceImpl {
    fn get_config_name(is_validate_only: bool) -> String {
        format!(
            "nginx_config_{}{}",
            if is_validate_only {
                "validation_"
            } else {
                "application_"
            },
            uuid::Uuid::new_v4()
        )
    }
    async fn _validate(&self, name: &str, timestamp: i64, config: &str) -> Result<(), AgentError> {
        let api = self.client.nginx_agent_api();
        api.write_config(WriteConfigParams {
            write_config_body: WriteConfigBody {
                config_name: name.to_string(),
                content: config.to_string(),
                timestamp,
            },
        })
        .await?;
        api.validate(ValidateParams {
            validate_body: ValidateBody {
                config_name: name.to_string(),
                timestamp,
            },
        })
        .await?;
        Ok(())
    }
    async fn _apply(&self, name: &str, timestamp: i64) -> Result<(), AgentError> {
        let api = self.client.nginx_agent_api();
        api.validate_and_reload(ValidateAndReloadParams {
            validate_and_reload_body: ValidateAndReloadBody {
                config_name: name.to_string(),
                timestamp,
            },
        })
        .await?;
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use agent_client::{
        apis::{Api, nginx_agent_api::StatusSuccess},
        models::StatusResp,
    };
    use axum::{http::StatusCode, response::Json};
    use std::time::Duration;
    use tempfile::tempdir;
    use tokio::time::sleep;
    #[test]
    fn test_agent_service_creation() {
        let config = Configuration::default();
        let service = AgentServiceImpl::new(config);
        let client = service.get_client();
        assert!(Arc::ptr_eq(&client, &service.client));
    }
    #[tokio::test]
    async fn test_agent_socket_support() {
        // create temporary socket path
        let dir = tempdir().expect("Failed to create temp dir");
        let socket_path = dir.path().join("agent.sock");
        // create axum app with a simple /status route
        let app = axum::Router::new().route(
            "/status",
            axum::routing::get(|| async {
                let result: (StatusCode, StatusResp) = (StatusCode::OK, StatusResp { ok: true });
                (result.0, Json(result.1))
            }),
        );
        // bind tokio unix listener and serve in background
        let listener =
            tokio::net::UnixListener::bind(&socket_path).expect("Failed to bind to unix socket");
        let server_fut = axum::serve::serve(listener, app);
        let _srv = tokio::spawn(async move {
            let _ = server_fut.await;
        });
        // give server a moment to start
        sleep(Duration::from_millis(50)).await;
        let client: ApiClient = ApiClient::new(Arc::new(Configuration {
            base_path: "http://localhost".to_string(),
            client: reqwest::Client::builder()
                .unix_socket(socket_path.clone())
                .build()
                .expect("Failed to build reqwest client"),
            ..Default::default()
        }));
        let res = client
            .nginx_agent_api()
            .status()
            .await
            .expect("Failed to get status");
        let body = res.entity.expect("Response entity is missing");
        assert!(res.status.is_success());
        if let StatusSuccess::Status200(body) = body {
            assert!(body.ok);
        } else {
            panic!("Unexpected response body");
        }
    }
 }
--- a/apps/api/src/services/auth.rs
+++ b/apps/api/src/services/auth.rs
@@ -0,0 +1,2 @@
 pub mod authentication;
 pub mod user;
--- a/apps/api/src/services/auth/authentication.rs
+++ b/apps/api/src/services/auth/authentication.rs
@@ -0,0 +1,319 @@
 pub mod strategies;
 use std::{collections::HashSet, sync::Arc};
 use argon2::password_hash::{SaltString, rand_core::OsRng};
 use jsonwebtoken::{
    DecodingKey, EncodingKey, Header, Validation, decode, encode,
    errors::ErrorKind::{ExpiredSignature, InvalidSignature, InvalidSubject, InvalidToken},
 };
 use sea_orm::prelude::Uuid;
 use serde::{Deserialize, Serialize};
 use tokio::sync::RwLock;
 use crate::errors::service_error::ServiceError;
 // Number of requests between invalidation cache cleanups
 #[allow(dead_code)] // TODO: remove when used
 const INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS: usize = 100; // Cleanup every 100 for invalidation checks
 #[derive(Serialize, Deserialize, Clone)]
 pub struct Claims {
    // Subject - user ID
    pub sub: String,
    // Issued at as UNIX timestamp
    pub iat: u64,
    // Expiration time as UNIX timestamp
    pub exp: u64,
 }
 #[async_trait::async_trait]
 pub trait AuthenticationService: Send + Sync {
    async fn generate_jwt(
        &self,
        user_id: Uuid,
        duration_secs: u64,
    ) -> Result<(String, Claims), ServiceError>;
    async fn is_valid_jwt(
        &self,
        token: &str,
        target_sub: Option<String>,
    ) -> Result<Option<Claims>, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn logout(&self, token: &str) -> Result<(), ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn cleanup_invalidation_cache(&self);
 }
 #[derive(Eq, Hash, PartialEq)]
 struct InvalidationEntry {
    token: String,
    invalidated_at: u64,
    valid_until: u64,
 }
 pub struct AuthenticationServiceImpl {
    secret: String,
    #[allow(dead_code)] // TODO: remove when used
    invalidation_cache: Arc<RwLock<HashSet<InvalidationEntry>>>,
    #[allow(dead_code)] // TODO: remove when used
    cache_cleanup_counter: Arc<RwLock<usize>>,
 }
 impl AuthenticationServiceImpl {
    pub fn new(secret: Option<String>) -> Self {
        let secret = secret.unwrap_or_else(|| {
            // generate a random secret if none is provided
            SaltString::generate(&mut OsRng).as_str().to_owned()
        });
        Self {
            secret,
            invalidation_cache: Arc::new(RwLock::new(HashSet::new())),
            cache_cleanup_counter: Arc::new(RwLock::new(0)),
        }
    }
 }
 #[async_trait::async_trait]
 impl AuthenticationService for AuthenticationServiceImpl {
    async fn generate_jwt(
        &self,
        user_id: Uuid,
        duration_secs: u64,
    ) -> Result<(String, Claims), ServiceError> {
        let header = Header::default();
        let expiration = chrono::Utc::now()
            .checked_add_signed(chrono::Duration::seconds(duration_secs as i64))
            .ok_or(ServiceError::InternalError(
                "Invalid expiration time".into(),
            ))?
            .timestamp() as u64;
        let claims = Claims {
            sub: user_id.to_string(),
            iat: chrono::Utc::now().timestamp() as u64,
            exp: expiration,
        };
        let token = encode(
            &header,
            &claims,
            &EncodingKey::from_secret(self.secret.as_ref()),
        )
        .map_err(|e| ServiceError::InternalError(format!("JWT generation error: {}", e)))?;
        Ok((token, claims))
    }
    async fn is_valid_jwt(
        &self,
        token: &str,
        target_sub: Option<String>,
    ) -> Result<Option<Claims>, ServiceError> {
        let mut validation = Validation::default();
        // disable leeway for strict expiration checking
        validation.leeway = 0;
        if let Some(expected_sub) = target_sub {
            validation.sub = Some(expected_sub);
        }
        let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
        match decode::<Claims>(token, &decoding_key, &validation) {
            Ok(data) => Ok(Some(data.claims)),
            Err(err) => match *err.kind() {
                InvalidToken | InvalidSubject | ExpiredSignature | InvalidSignature => Ok(None),
                _ => Err(ServiceError::InternalError(format!(
                    "JWT validation error: {}",
                    err
                ))),
            },
        }
    }
    async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError> {
        let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
        let token_data = decode::<Claims>(token, &decoding_key, &Validation::default())
            .map_err(|e| ServiceError::InternalError(format!("JWT parsing error: {}", e)))?;
        Ok(token_data.claims)
    }
    async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError> {
        let claims = self.parse_jwt(token).await?;
        let valid_until = claims.exp;
        let invalidated_at = chrono::Utc::now().timestamp() as u64;
        let entry = InvalidationEntry {
            token: token.to_string(),
            invalidated_at,
            valid_until,
        };
        {
            self.invalidation_cache.write().await.insert(entry);
        }
        //
        if self.cache_cleanup_counter.read().await.wrapping_add(1)
            % INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS
            == 0
        {
            self.cleanup_invalidation_cache().await;
        }
        //
        Ok(())
    }
    async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError> {
        let claims = self.parse_jwt(token).await?;
        let user_id = Uuid::parse_str(&claims.sub).map_err(|e| {
            ServiceError::InternalError(format!("Invalid user ID in JWT claims: {}", e))
        })?;
        let (new_token, _) = self.generate_jwt(user_id, duration_secs).await?;
        Ok(new_token)
    }
    async fn logout(&self, token: &str) -> Result<(), ServiceError> {
        self.invalidate_jwt(token).await
    }
    async fn cleanup_invalidation_cache(&self) {
        let now = chrono::Utc::now().timestamp() as u64;
        let mut cache = self.invalidation_cache.write().await;
        cache.retain(|entry| entry.valid_until > now);
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use tokio::time::{Duration, sleep};
    #[tokio::test]
    async fn test_jwt_generation_and_validation() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
        let (token, _) = service
            .generate_jwt(user_id, 60)
            .await
            .expect("Failed to generate jwt");
        let valid = service
            .is_valid_jwt(&token, None)
            .await
            .expect("Failed to validate jwt");
        assert!(valid.is_some(), "Generated token should be valid");
        let claims = service
            .parse_jwt(&token)
            .await
            .expect("Failed to parse jwt");
        assert_eq!(claims.sub, user_id.to_string());
    }
    #[tokio::test]
    async fn test_jwt_validation_with_wrong_subject() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
        let (token, _) = service
            .generate_jwt(user_id, 60)
            .await
            .expect("Failed to generate jwt");
        let other_sub = Uuid::new_v4().to_string();
        let valid = service
            .is_valid_jwt(&token, Some(other_sub))
            .await
            .expect("jwt is not valid");
        assert!(
            valid.is_none(),
            "Token should be invalid for a different subject"
        );
    }
    #[tokio::test]
    async fn test_parse_jwt_invalid_token() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let res = service.parse_jwt("not_a_token").await;
        assert!(matches!(res, Err(ServiceError::InternalError(_))));
    }
    #[tokio::test]
    async fn test_refresh_jwt() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
        let (token, _) = service
            .generate_jwt(user_id, 60)
            .await
            .expect("Failed to generate jwt");
        let new_token = service
            .refresh_jwt(&token, 120)
            .await
            .expect("Failed to refresh jwt");
        let claims = service
            .parse_jwt(&new_token)
            .await
            .expect("Failed to parse refreshed jwt");
        assert_eq!(claims.sub, user_id.to_string());
        assert_eq!(claims.exp - claims.iat, 120);
    }
    #[tokio::test]
    async fn test_is_valid_jwt_expired() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
        let (token, claims) = service
            .generate_jwt(user_id, 1)
            .await
            .expect("Failed to generate jwt");
        sleep(Duration::from_secs(2)).await;
        let valid = service
            .is_valid_jwt(&token, None)
            .await
            .expect("Failed to validate jwt");
        assert!(
            valid.is_none(),
            "Token should be expired and thus invalid. Current time: {:?}. Diff: {}",
            chrono::Utc::now(),
            chrono::Utc::now().timestamp() - claims.exp as i64
        );
    }
    #[tokio::test]
    async fn test_invalidate_and_cleanup() {
        let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
        let user_id = Uuid::new_v4();
        let (token, _) = service
            .generate_jwt(user_id, 1)
            .await
            .expect("Failed to generate jwt");
        service
            .invalidate_jwt(&token)
            .await
            .expect("Failed to invalidate jwt");
        // ensure entry is present
        {
            let cache = service.invalidation_cache.read().await;
            assert!(cache.iter().any(|e| e.token == token));
        }
        // wait until token validity ends and cleanup
        sleep(Duration::from_secs(2)).await;
        service.cleanup_invalidation_cache().await;
        let cache = service.invalidation_cache.read().await;
        assert!(
            cache.is_empty(),
            "Cleanup should remove expired invalidation entries"
        );
    }
 }
--- a/apps/api/src/services/auth/authentication/strategies.rs
+++ b/apps/api/src/services/auth/authentication/strategies.rs
@@ -0,0 +1 @@
 pub mod password;
--- a/apps/api/src/services/auth/authentication/strategies/password.rs
+++ b/apps/api/src/services/auth/authentication/strategies/password.rs
@@ -0,0 +1,490 @@
 use std::sync::Arc;
 use crate::{errors::service_error::ServiceError, with_conn};
 use argon2::{
    Argon2,
    password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString, rand_core::OsRng},
 };
 use database::generated::entities::{user, user_identity};
 use sea_orm::{
    ColumnTrait, DatabaseConnection, DatabaseTransaction, EntityTrait, IntoActiveModel,
    QueryFilter, prelude::Uuid,
 };
 pub struct PasswordStrategy {
    connection: Arc<DatabaseConnection>,
 }
 const MAX_PASSWORD_LENGTH: usize = 32;
 const PASSWORD_PROVIDER: &str = "password";
 impl PasswordStrategy {
    pub fn new(connection: Arc<DatabaseConnection>) -> Self {
        Self { connection }
    }
    pub async fn authenticate(
        &self,
        username: &str,
        password: &str,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<Uuid, ServiceError> {
        // Find user by username
        let user = with_conn!(&*self.connection, tx, conn, {
            user::Entity::find()
                .filter(user::Column::Name.eq(username))
                .one(*conn)
                .await?
                .ok_or_else(|| {
                    ServiceError::Unauthorized("Invalid username or password".to_string())
                })?
        });
        // Get user's identity
        let identity = with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::find()
                .filter(user_identity::Column::UserId.eq(user.id))
                .one(*conn)
                .await?
                .ok_or_else(|| {
                    ServiceError::Unauthorized("Invalid username or password".to_string())
                })?
        });
        // Check if revoked
        if identity.is_revoked {
            return Err(ServiceError::Unauthorized("Account is revoked".to_string()));
        }
        // Verify password
        let password_hash = identity
            .password_hash
            .ok_or_else(|| ServiceError::InternalError("Invalid password hash".to_string()))?;
        let parsed_hash = PasswordHash::new(&password_hash)
            .map_err(|_| ServiceError::InternalError("Invalid password hash".to_string()))?;
        Argon2::default()
            .verify_password(password.as_bytes(), &parsed_hash)
            .map_err(|_| ServiceError::Unauthorized("Invalid username or password".to_string()))?;
        Ok(user.id)
    }
    #[allow(dead_code)] // TODO: remove when used
    pub async fn revoke_identity(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError> {
        let mut identity = with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::find()
                .filter(user_identity::Column::UserId.eq(user_id))
                .one(*conn)
                .await?
                .ok_or_else(|| ServiceError::NotFound("User identity not found".to_string()))?
        });
        identity.is_revoked = true;
        with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::update(identity.into_active_model())
                .exec(*conn)
                .await
                .map_err(ServiceError::from)
        })?;
        Ok(())
    }
    pub async fn create_identity(
        &self,
        user_id: Uuid,
        password: &str,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError> {
        Self::is_valid_password(password).map_err(ServiceError::BadRequest)?;
        // If an identity already exists for this user/provider, treat as success.
        // This also allows tests using MockDatabase to provide a query result
        // for an existing identity without requiring an insert exec result.
        let existing = with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::find()
                .filter(user_identity::Column::UserId.eq(user_id))
                .filter(user_identity::Column::Provider.eq(PASSWORD_PROVIDER.to_string()))
                .one(*conn)
                .await?
        });
        if existing.is_some() {
            return Err(ServiceError::BadRequest(
                "Identity already exists".to_string(),
            ));
        }
        let password_hash = Argon2::default()
            .hash_password(password.as_bytes(), &SaltString::generate(&mut OsRng))
            .map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
            .to_string();
        let new_identity = user_identity::ActiveModel {
            id: sea_orm::ActiveValue::Set(Uuid::new_v4()),
            user_id: sea_orm::ActiveValue::Set(user_id),
            provider: sea_orm::ActiveValue::Set(PASSWORD_PROVIDER.to_string()),
            password_hash: sea_orm::ActiveValue::Set(Some(password_hash)),
            metadata: sea_orm::ActiveValue::Set(None),
            is_revoked: sea_orm::ActiveValue::Set(false),
            ..Default::default()
        };
        with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::insert(new_identity)
                .exec(*conn)
                .await
                .map_err(ServiceError::from)
        })?;
        Ok(())
    }
    #[allow(dead_code)] // TODO: remove when used
    pub async fn update_password(
        &self,
        user_id: Uuid,
        new_password: &str,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError> {
        Self::is_valid_password(new_password).map_err(ServiceError::BadRequest)?;
        let password_hash = Argon2::default()
            .hash_password(new_password.as_bytes(), &SaltString::generate(&mut OsRng))
            .map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
            .to_string();
        let mut identity = with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::find()
                .filter(user_identity::Column::UserId.eq(user_id))
                .one(*conn)
                .await?
                .ok_or_else(|| ServiceError::NotFound("User identity not found".to_string()))?
        });
        identity.password_hash = Some(password_hash);
        identity.password_changed_at = Some(chrono::Utc::now());
        with_conn!(&*self.connection, tx, conn, {
            user_identity::Entity::update(identity.into_active_model())
                .exec(*conn)
                .await
                .map_err(ServiceError::from)
        })?;
        Ok(())
    }
    fn is_valid_password(password: &str) -> Result<(), String> {
        if password.is_empty() {
            return Err("Password cannot be empty".to_string());
        }
        if password.len() > MAX_PASSWORD_LENGTH {
            return Err(format!(
                "Password cannot be longer than {} characters",
                MAX_PASSWORD_LENGTH
            ));
        }
        Ok(())
    }
 }
 #[cfg(test)]
 mod test {
    use super::*;
    use database::generated::entities::{user, user_identity};
    use sea_orm::MockDatabase;
    #[test]
    fn ensure_send_sync() {
        fn assert_send_sync<T: Send + Sync>() {}
        assert_send_sync::<PasswordStrategy>();
    }
    #[test]
    fn password_validation() {
        let valid_password = "ValidPassword123!";
        let long_password = "a".repeat(129);
        assert!(PasswordStrategy::is_valid_password(valid_password).is_ok());
        assert!(PasswordStrategy::is_valid_password(long_password.as_str()).is_err());
    }
    #[tokio::test]
    async fn authenticate_user_not_found() {
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy
            .authenticate("nonexistent_user", "password", None)
            .await;
        assert!(matches!(result, Err(ServiceError::Unauthorized(_))));
    }
    #[tokio::test]
    async fn authenticate_invalid_password() {
        let user_id = Uuid::new_v4();
        let password_hash = Argon2::default()
            .hash_password(
                "CorrectPassword".as_bytes(),
                &SaltString::generate(&mut OsRng),
            )
            .expect("Failed to hash password")
            .to_string();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![user::Model {
                id: user_id,
                name: "test_user".to_string(),
                is_active: true,
                is_admin: false,
                created_at: chrono::Utc::now(),
                updated_at: chrono::Utc::now(),
                deleted_at: None,
                last_login_at: None,
            }]])
            .append_query_results(vec![vec![user_identity::Model {
                id: Uuid::new_v4(),
                user_id,
                email: None,
                provider: PASSWORD_PROVIDER.to_string(),
                password_hash: Some(password_hash),
                metadata: None,
                is_revoked: false,
                revoked_at: None,
                created_at: chrono::Utc::now(),
                updated_at: chrono::Utc::now(),
                password_changed_at: None,
            }]])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy
            .authenticate("test_user", "InvalidPassword", None)
            .await;
        assert!(matches!(result, Err(ServiceError::Unauthorized(_))));
    }
    #[tokio::test]
    async fn authenticate_success() {
        let user_id = Uuid::new_v4();
        let password_hash = Argon2::default()
            .hash_password(
                "CorrectPassword".as_bytes(),
                &SaltString::generate(&mut OsRng),
            )
            .expect("Failed to hash password")
            .to_string();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![user::Model {
                id: user_id,
                name: "test_user".to_string(),
                is_active: true,
                is_admin: false,
                created_at: chrono::Utc::now(),
                updated_at: chrono::Utc::now(),
                deleted_at: None,
                last_login_at: None,
            }]])
            .append_query_results(vec![vec![user_identity::Model {
                id: Uuid::new_v4(),
                user_id,
                email: None,
                provider: PASSWORD_PROVIDER.to_string(),
                password_hash: Some(password_hash),
                metadata: None,
                is_revoked: false,
                revoked_at: None,
                created_at: chrono::Utc::now(),
                updated_at: chrono::Utc::now(),
                password_changed_at: None,
            }]])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy
            .authenticate("test_user", "CorrectPassword", None)
            .await;
        assert!(matches!(result, Ok(id) if id == user_id));
    }
    #[tokio::test]
    async fn revoke_identity_not_found() {
        let user_id = Uuid::new_v4();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.revoke_identity(user_id, None).await;
        assert!(matches!(result, Err(ServiceError::NotFound(_))));
    }
    #[tokio::test]
    async fn revoke_identity_success() {
        let user_id = Uuid::new_v4();
        let identity = user_identity::Model {
            id: Uuid::new_v4(),
            user_id,
            email: None,
            provider: PASSWORD_PROVIDER.to_string(),
            password_hash: None,
            metadata: None,
            is_revoked: false,
            revoked_at: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
            password_changed_at: None,
        };
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![
                vec![identity.clone()],
                vec![user_identity::Model {
                    is_revoked: true,
                    ..identity
                }],
            ])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.revoke_identity(user_id, None).await;
        assert!(result.is_ok());
    }
    #[tokio::test]
    async fn create_identity_invalid_password() {
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite).into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.create_identity(Uuid::new_v4(), "", None).await;
        assert!(matches!(result, Err(ServiceError::BadRequest(_))));
    }
    #[tokio::test]
    async fn create_identity_success() {
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            // No existing identity
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            // Insert exec result (mock exec result for insert)
            .append_exec_results(vec![sea_orm::MockExecResult {
                rows_affected: 1,
                last_insert_id: 0,
            }])
            // Return inserted identity for any subsequent queries
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy
            .create_identity(Uuid::new_v4(), "ValidPass1!", None)
            .await;
        assert!(
            result.is_ok(),
            "Failed to create identity, error: {:?}",
            result.err()
        );
    }
    #[tokio::test]
    async fn create_identity_existing() {
        let user_id = Uuid::new_v4();
        let identity = user_identity::Model {
            id: Uuid::new_v4(),
            user_id,
            email: None,
            provider: PASSWORD_PROVIDER.to_string(),
            password_hash: Some("hash".to_string()),
            metadata: None,
            is_revoked: false,
            revoked_at: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
            password_changed_at: None,
        };
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![vec![identity]])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.create_identity(user_id, "ValidPass1!", None).await;
        assert!(matches!(result, Err(ServiceError::BadRequest(_))));
    }
    #[tokio::test]
    async fn update_password_not_found() {
        let user_id = Uuid::new_v4();
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.update_password(user_id, "NewPass1!", None).await;
        assert!(matches!(result, Err(ServiceError::NotFound(_))));
    }
    #[tokio::test]
    async fn update_password_success() {
        let user_id = Uuid::new_v4();
        let identity = user_identity::Model {
            id: Uuid::new_v4(),
            user_id,
            email: None,
            provider: PASSWORD_PROVIDER.to_string(),
            password_hash: Some("old_hash".to_string()),
            metadata: None,
            is_revoked: false,
            revoked_at: None,
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
            password_changed_at: None,
        };
        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
            .append_query_results(vec![
                vec![identity],
                vec![user_identity::Model {
                    id: Uuid::new_v4(),
                    user_id,
                    email: None,
                    provider: PASSWORD_PROVIDER.to_string(),
                    password_hash: Some("new_hash".to_string()),
                    metadata: None,
                    is_revoked: false,
                    revoked_at: None,
                    created_at: chrono::Utc::now(),
                    updated_at: chrono::Utc::now(),
                    password_changed_at: None,
                }],
            ])
            .into_connection();
        let strategy = PasswordStrategy::new(Arc::new(db));
        let result = strategy.update_password(user_id, "NewPass1!", None).await;
        assert!(
            result.is_ok(),
            "Failed to update password, error: {:?}",
            result.err()
        );
    }
 }
--- a/apps/api/src/services/auth/user.rs
+++ b/apps/api/src/services/auth/user.rs
@@ -0,0 +1,217 @@
 use std::sync::Arc;
 use database::generated::entities::user::{
    self, ActiveModel as UserActiveModel, Model as UserModel,
 };
 use sea_orm::{
    ActiveModelTrait, ActiveValue, ColumnTrait, DatabaseConnection, DatabaseTransaction, DbErr,
    EntityTrait, IntoActiveModel, QueryFilter, prelude::Uuid,
 };
 use crate::{errors::service_error::ServiceError, with_conn};
 #[async_trait::async_trait]
 pub trait UserService: Send + Sync {
    async fn get_user_by_id(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn is_admin(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<bool, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn user_exists(
        &self,
        username: &str,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<bool, ServiceError>;
    async fn create_user(
        &self,
        user: NewUser,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn update_user(
        &self,
        user_id: Uuid,
        user: UpdateUser,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError>;
    #[allow(dead_code)] // TODO: remove when used
    async fn delete_user(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError>;
 }
 pub struct User {
    pub id: Uuid,
    pub username: String,
    #[allow(dead_code)] // TODO: remove when used
    pub is_admin: bool,
 }
 impl From<UserModel> for User {
    fn from(model: UserModel) -> Self {
        Self {
            id: model.id,
            username: model.name,
            is_admin: model.is_admin,
        }
    }
 }
 pub struct NewUser {
    pub username: String,
    pub is_admin: bool,
 }
 pub struct UpdateUser {
    #[allow(dead_code)] // TODO: remove when used
    pub username: Option<String>,
    #[allow(dead_code)] // TODO: remove when used
    pub is_admin: Option<bool>,
    #[allow(dead_code)] // TODO: remove when used
    pub is_active: Option<bool>,
 }
 impl UpdateUser {
    #[allow(dead_code)] // TODO: remove when used
    fn apply_to_active_model(&self, model: &mut UserActiveModel) {
        if let Some(username) = &self.username {
            model.name = ActiveValue::Set(username.clone());
        }
        if let Some(is_admin) = self.is_admin {
            model.is_admin = ActiveValue::Set(is_admin);
        }
        if let Some(is_active) = self.is_active {
            model.is_active = ActiveValue::Set(is_active);
        }
    }
 }
 pub struct UserServiceImpl {
    connection: Arc<DatabaseConnection>,
 }
 impl UserServiceImpl {
    pub fn new(connection: Arc<DatabaseConnection>) -> Self {
        Self { connection }
    }
    async fn get_user_by_id_from_db(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<UserModel, ServiceError> {
        let user = with_conn!(&*self.connection, tx, conn, {
            user::Entity::find_by_id(user_id).one(*conn).await
        });
        match user {
            Err(err) => Err(ServiceError::from(err)),
            Ok(None) => Err(ServiceError::NotFound(format!(
                "User with id '{}' not found",
                user_id
            ))),
            Ok(Some(record)) => Ok(record),
        }
    }
 }
 #[async_trait::async_trait]
 impl UserService for UserServiceImpl {
    async fn get_user_by_id(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError> {
        let user = self.get_user_by_id_from_db(user_id, tx).await?;
        Ok(User::from(user))
    }
    async fn is_admin(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<bool, ServiceError> {
        let user = self.get_user_by_id(user_id, tx).await?;
        Ok(user.is_admin)
    }
    async fn user_exists(
        &self,
        username: &str,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<bool, ServiceError> {
        let user = with_conn!(&*self.connection, tx, conn, {
            user::Entity::find()
                .filter(user::Column::Name.eq(username))
                .one(*conn)
                .await
        });
        match user {
            Err(err) => match err {
                DbErr::RecordNotFound(_) => Ok(false),
                _ => Err(ServiceError::from(err)),
            },
            Ok(None) => Ok(false),
            Ok(Some(_)) => Ok(true),
        }
    }
    async fn create_user(
        &self,
        user: NewUser,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError> {
        let user_active_model = UserActiveModel {
            id: ActiveValue::Set(Uuid::new_v4()),
            name: ActiveValue::Set(user.username),
            is_admin: ActiveValue::Set(user.is_admin),
            is_active: ActiveValue::Set(true),
            ..Default::default()
        };
        let user_model = with_conn!(&*self.connection, tx, conn, {
            user_active_model.insert(*conn).await
        })?;
        Ok(User::from(user_model))
    }
    async fn update_user(
        &self,
        user_id: Uuid,
        update_user: UpdateUser,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<User, ServiceError> {
        let existing_user = self.get_user_by_id_from_db(user_id, tx).await?;
        let mut user_active_model = existing_user.into_active_model();
        update_user.apply_to_active_model(&mut user_active_model);
        let user_model = user_active_model.update(&*self.connection).await?;
        Ok(User::from(user_model))
    }
    async fn delete_user(
        &self,
        user_id: Uuid,
        tx: Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError> {
        let user = self.get_user_by_id_from_db(user_id, tx).await?;
        let user_active_model = user.into_active_model();
        user_active_model.delete(&*self.connection).await?;
        Ok(())
    }
 }
--- a/apps/api/src/services/nginx.rs
+++ b/apps/api/src/services/nginx.rs
@@ -0,0 +1,106 @@
 pub mod builder;
 pub mod info;
 pub mod traits;
 pub mod location;
 pub mod proxy_host;
 pub mod upstream;
 use std::sync::Arc;
 use sea_orm::{DatabaseConnection, DatabaseTransaction};
 use crate::{
    errors::service_error::ServiceError,
    services::{
        agent_client::AgentService,
        nginx::{
            builder::{NginxConfigBuilder, NginxConfigProvider},
            location::{LocationService, LocationServiceImpl},
            proxy_host::{ProxyService, ProxyServiceImpl},
            upstream::{UpstreamService, UpstreamServiceImpl},
        },
    },
 };
 pub struct NginxService {
    #[allow(dead_code)]
    connection: Arc<DatabaseConnection>,
    //
    #[allow(dead_code)]
    upstream_service: Arc<dyn UpstreamService>,
    #[allow(dead_code)]
    proxy_service: Arc<dyn ProxyService>,
    #[allow(dead_code)]
    location_service: Arc<dyn LocationService>,
 }
 impl NginxService {
    pub fn new(connection: Arc<DatabaseConnection>) -> Self {
        Self {
            connection: connection.clone(),
            //
            upstream_service: Arc::new(UpstreamServiceImpl::new(connection.clone())),
            proxy_service: Arc::new(ProxyServiceImpl::new(connection.clone())),
            location_service: Arc::new(LocationServiceImpl::new(connection.clone())),
        }
    }
    pub fn get_upstream_service(&self) -> Arc<dyn UpstreamService> {
        self.upstream_service.clone()
    }
    pub fn get_proxy_service(&self) -> Arc<dyn ProxyService> {
        self.proxy_service.clone()
    }
    pub fn get_location_service(&self) -> Arc<dyn LocationService> {
        self.location_service.clone()
    }
    #[allow(dead_code)]
    pub async fn validate_config(
        &self,
        agent: Arc<dyn AgentService>,
        config: &str,
    ) -> Result<(), ServiceError> {
        agent.validate(config).await?;
        Ok(())
    }
    pub async fn apply_changes(
        &self,
        agent: Arc<dyn AgentService>,
        config: &str,
    ) -> Result<(), ServiceError> {
        agent.apply(config).await?;
        Ok(())
    }
    pub async fn generate_config(
        &self,
        tx: &Option<&mut DatabaseTransaction>,
    ) -> Result<String, ServiceError> {
        let mut builder = NginxConfigBuilder::default();
        self.upstream_service
            .generate_config(&mut builder, tx)
            .await?;
        self.proxy_service.generate_config(&mut builder, tx).await?;
        builder.to_nginx_config(None)
    }
    pub async fn regenerate_and_apply_config(
        &self,
        agent: Arc<dyn AgentService>,
        tx: &Option<&mut DatabaseTransaction>,
    ) -> Result<(), ServiceError> {
        let config = self.generate_config(tx).await?;
        self.apply_changes(agent, &config).await?;
        Ok(())
    }
 }
--- a/apps/api/src/services/nginx/builder.rs
+++ b/apps/api/src/services/nginx/builder.rs
@@ -0,0 +1,61 @@
 use crate::{
    errors::service_error::ServiceError,
    services::nginx::info::{proxy_host::ProxyHostInfo, upstream::UpstreamInfo},
 };
 pub const INDENT_SIZE: usize = 2;
 pub trait NginxConfigProvider {
    fn to_nginx_config(&self, indent: Option<usize>) -> Result<String, ServiceError>;
 }
 #[derive(Default)]
 pub struct NginxConfigBuilder {
    upstreams: Vec<UpstreamInfo>,
    proxy_hosts: Vec<ProxyHostInfo>,
 }
 impl NginxConfigBuilder {
    pub fn add_upstream(&mut self, upstream: UpstreamInfo) {
        self.upstreams.push(upstream);
    }
    pub fn add_upstreams(&mut self, upstreams: Vec<UpstreamInfo>) {
        for upstream in upstreams {
            self.add_upstream(upstream);
        }
    }
    pub fn add_proxy_host(&mut self, proxy_host: ProxyHostInfo) {
        self.proxy_hosts.push(proxy_host);
    }
    pub fn add_proxy_hosts(&mut self, proxy_hosts: Vec<ProxyHostInfo>) {
        for proxy_host in proxy_hosts {
            self.add_proxy_host(proxy_host);
        }
    }
 }
 impl NginxConfigProvider for NginxConfigBuilder {
    fn to_nginx_config(&self, indent: Option<usize>) -> Result<String, ServiceError> {
        let mut config = format!(
            "# Nginx Config Generated by YANPM at {}",
            chrono::Utc::now()
        );
        for upstream in &self.upstreams {
            config.push('\n');
            config.push_str(&upstream.to_nginx_config(indent)?);
        }
        for proxy_host in &self.proxy_hosts {
            config.push('\n');
            config.push_str(&proxy_host.to_nginx_config(indent)?);
        }
        // TODO: Add other sections like servers, locations, etc.
        // trailing newline for file ending
        config.push('\n');
        Ok(config)
    }
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`build-docker:`
							`docker build -t yanpm/agent:latest .`
`@@ -1 +1,2 @@`
		`pub mod api_error;`
	`pub mod service_error;`	`pub mod service_error;`