2026-04-07 21:58:28 -04:00
|
|
|
import express from 'express';
|
|
|
|
|
import pool from '../db/pool.js';
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
import { validateUuid } from '../middleware/errors.js';
|
2026-04-07 21:58:28 -04:00
|
|
|
import { v4 as uuidv4 } from 'uuid';
|
|
|
|
|
|
|
|
|
|
const router = express.Router();
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
router.param('id', (req, res, next) => validateUuid('id')(req, res, next));
|
2026-04-07 21:58:28 -04:00
|
|
|
|
2026-05-23 00:08:59 -04:00
|
|
|
// GET / - List bins. Filter by project_id when supplied; otherwise return
|
|
|
|
|
// every bin across every project so the Library / asset-context-menu can
|
|
|
|
|
// present a global "move to bin" picker.
|
2026-04-07 21:58:28 -04:00
|
|
|
router.get('/', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { project_id } = req.query;
|
|
|
|
|
|
2026-05-23 00:08:59 -04:00
|
|
|
const params = [];
|
|
|
|
|
let where = '';
|
|
|
|
|
if (project_id) {
|
|
|
|
|
where = 'WHERE b.project_id = $1';
|
|
|
|
|
params.push(project_id);
|
2026-04-07 21:58:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const result = await pool.query(
|
2026-05-23 00:08:59 -04:00
|
|
|
`SELECT b.*, p.name AS project_name,
|
|
|
|
|
(SELECT COUNT(*)::int FROM assets a WHERE a.bin_id = b.id) AS asset_count
|
|
|
|
|
FROM bins b
|
|
|
|
|
LEFT JOIN projects p ON p.id = b.project_id
|
|
|
|
|
${where}
|
|
|
|
|
ORDER BY b.created_at DESC`,
|
|
|
|
|
params
|
2026-04-07 21:58:28 -04:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
res.json(result.rows);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// POST / - Create bin
|
|
|
|
|
router.post('/', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { project_id, name, parent_id } = req.body;
|
|
|
|
|
|
|
|
|
|
if (!project_id || !name) {
|
|
|
|
|
return res.status(400).json({ error: 'project_id and name are required' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const id = uuidv4();
|
|
|
|
|
|
|
|
|
|
const result = await pool.query(
|
|
|
|
|
`INSERT INTO bins (id, project_id, name, parent_id, created_at, updated_at)
|
|
|
|
|
VALUES ($1, $2, $3, $4, NOW(), NOW())
|
|
|
|
|
RETURNING *`,
|
|
|
|
|
[id, project_id, name, parent_id || null]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
res.status(201).json(result.rows[0]);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// PATCH /:id - Update bin
|
|
|
|
|
router.patch('/:id', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { id } = req.params;
|
|
|
|
|
const { name, parent_id } = req.body;
|
|
|
|
|
|
|
|
|
|
const updates = [];
|
|
|
|
|
const params = [];
|
|
|
|
|
let paramCount = 1;
|
|
|
|
|
|
|
|
|
|
if (name !== undefined) {
|
|
|
|
|
updates.push(`name = $${paramCount++}`);
|
|
|
|
|
params.push(name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (parent_id !== undefined) {
|
|
|
|
|
updates.push(`parent_id = $${paramCount++}`);
|
|
|
|
|
params.push(parent_id || null);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (updates.length === 0) {
|
|
|
|
|
return res.status(400).json({ error: 'No fields to update' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
updates.push(`updated_at = NOW()`);
|
|
|
|
|
params.push(id);
|
|
|
|
|
|
|
|
|
|
const query = `
|
|
|
|
|
UPDATE bins
|
|
|
|
|
SET ${updates.join(', ')}
|
|
|
|
|
WHERE id = $${paramCount}
|
|
|
|
|
RETURNING *
|
|
|
|
|
`;
|
|
|
|
|
|
|
|
|
|
const result = await pool.query(query, params);
|
|
|
|
|
|
|
|
|
|
if (result.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Bin not found' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json(result.rows[0]);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// DELETE /:id - Delete bin
|
|
|
|
|
router.delete('/:id', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { id } = req.params;
|
|
|
|
|
|
|
|
|
|
const result = await pool.query(
|
|
|
|
|
'DELETE FROM bins WHERE id = $1 RETURNING *',
|
|
|
|
|
[id]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (result.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Bin not found' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({ message: 'Bin deleted', bin: result.rows[0] });
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// POST /:id/assets - Add asset to bin
|
|
|
|
|
router.post('/:id/assets', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { id } = req.params;
|
|
|
|
|
const { asset_id } = req.body;
|
|
|
|
|
|
|
|
|
|
if (!asset_id) {
|
|
|
|
|
return res.status(400).json({ error: 'asset_id is required' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify bin exists
|
|
|
|
|
const binCheck = await pool.query('SELECT id FROM bins WHERE id = $1', [id]);
|
|
|
|
|
if (binCheck.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Bin not found' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update asset's bin_id
|
|
|
|
|
const result = await pool.query(
|
|
|
|
|
'UPDATE assets SET bin_id = $1, updated_at = NOW() WHERE id = $2 RETURNING *',
|
|
|
|
|
[id, asset_id]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (result.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Asset not found' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json(result.rows[0]);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// DELETE /:id/assets/:assetId - Remove asset from bin
|
|
|
|
|
router.delete('/:id/assets/:assetId', async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const { id, assetId } = req.params;
|
|
|
|
|
|
|
|
|
|
// Verify bin exists
|
|
|
|
|
const binCheck = await pool.query('SELECT id FROM bins WHERE id = $1', [id]);
|
|
|
|
|
if (binCheck.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Bin not found' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove asset from bin
|
|
|
|
|
const result = await pool.query(
|
|
|
|
|
'UPDATE assets SET bin_id = NULL, updated_at = NOW() WHERE id = $1 AND bin_id = $2 RETURNING *',
|
|
|
|
|
[assetId, id]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (result.rows.length === 0) {
|
|
|
|
|
return res.status(404).json({ error: 'Asset not found in this bin' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res.json({ message: 'Asset removed from bin', asset: result.rows[0] });
|
|
|
|
|
} catch (err) {
|
|
|
|
|
next(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
export default router;
|
