@atomservice/config 0.1.5

package/server/src/modules/env.ts

@@ -0,0 +1,86 @@
+import { getDb } from "../db/client.ts"
+import type { EnvironmentRow } from "../db/types.ts"
+import { HttpError, ok, optionalString, param, readBody, requireString, route } from "../http/response.ts"
+import { assertEnvAccess, requireProjectRole, requireSuperAdmin, requireUser } from "../shared/auth.ts"
+import { SLUG_RE } from "../shared/consts.ts"
+import { findEnv, findProject } from "../shared/resolve.ts"
+import { publicEnv } from "../shared/serialize.ts"
+import { newId, nowSec } from "../shared/utils.ts"
+
+function listEnvs(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+  let rows = getDb()
+    .query(`SELECT * FROM "Environment" WHERE projectId = ? ORDER BY sortOrder, createdAt`)
+    .all(project.id) as EnvironmentRow[]
+  if (!user.isSuperAdmin) rows = rows.filter((r) => r.sensitive === 0)
+  return ok({ environments: rows.map(publicEnv) })
+}
+
+async function createEnv(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const body = await readBody(req)
+  const slug = requireString(body, "slug", "环境标识")
+  const name = requireString(body, "name", "环境名称")
+  const description = optionalString(body, "description") ?? null
+  const sortOrder = typeof body.sortOrder === "number" ? body.sortOrder : 0
+  const sensitive = body.sensitive === true ? 1 : 0
+
+  if (!SLUG_RE.test(slug))
+    throw new HttpError(400, "invalid_field", "环境标识需以小写字母开头，仅含小写字母、数字、连字符")
+  if (sensitive === 1) requireSuperAdmin(user)
+
+  const db = getDb()
+  if (db.query(`SELECT 1 FROM "Environment" WHERE projectId = ? AND slug = ?`).get(project.id, slug)) {
+    throw new HttpError(409, "conflict", "环境标识已存在")
+  }
+
+  const id = newId()
+  db.query(
+    `INSERT INTO "Environment" (id, projectId, slug, name, description, sortOrder, sensitive, createdBy) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(id, project.id, slug, name, description, sortOrder, sensitive, user.id)
+  const created = db.query(`SELECT * FROM "Environment" WHERE id = ?`).get(id) as EnvironmentRow
+  return ok({ environment: publicEnv(created) }, 201)
+}
+
+async function updateEnv(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+  const body = await readBody(req)
+  const name = optionalString(body, "name") ?? env.name
+  const description = body.description === undefined ? env.description : (optionalString(body, "description") ?? null)
+  const sortOrder = typeof body.sortOrder === "number" ? body.sortOrder : env.sortOrder
+  let sensitive = env.sensitive
+  if (body.sensitive !== undefined) {
+    requireSuperAdmin(user)
+    sensitive = body.sensitive === true ? 1 : 0
+  }
+
+  const db = getDb()
+  db.query(
+    `UPDATE "Environment" SET name = ?, description = ?, sortOrder = ?, sensitive = ?, updatedAt = ? WHERE id = ?`,
+  ).run(name, description, sortOrder, sensitive, nowSec(), env.id)
+  const updated = db.query(`SELECT * FROM "Environment" WHERE id = ?`).get(env.id) as EnvironmentRow
+  return ok({ environment: publicEnv(updated) })
+}
+
+function deleteEnv(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+  getDb().query(`DELETE FROM "Environment" WHERE id = ?`).run(env.id)
+  return ok({ deleted: true })
+}
+
+export const envRoutes = {
+  "/v1/projects/:project/envs": { GET: route(listEnvs), POST: route(createEnv) },
+  "/v1/projects/:project/envs/:env": { PATCH: route(updateEnv), DELETE: route(deleteEnv) },
+}

package/server/src/modules/inspect.ts

@@ -0,0 +1,67 @@
+import { getDb } from "../db/client.ts"
+import type { AppRow, EnvironmentRow, ReleaseRow } from "../db/types.ts"
+import { ok, param, route } from "../http/response.ts"
+import { requireProjectRole, requireUser } from "../shared/auth.ts"
+import { findProject } from "../shared/resolve.ts"
+import { publicApp, publicEnv, publicProject, publicRelease } from "../shared/serialize.ts"
+
+function inspectProject(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+
+  const url = new URL(req.url)
+  const appsParam = url.searchParams.get("apps")
+  const envsParam = url.searchParams.get("envs")
+  const limit = Math.min(Math.max(Number.parseInt(url.searchParams.get("limit") ?? "3", 10) || 3, 1), 20)
+
+  const db = getDb()
+
+  let appRows = db.query(`SELECT * FROM "App" WHERE projectId = ? ORDER BY createdAt`).all(project.id) as AppRow[]
+  if (appsParam) {
+    const slugs = new Set(
+      appsParam
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean),
+    )
+    appRows = appRows.filter((a) => slugs.has(a.slug))
+  }
+
+  let envRows = db
+    .query(`SELECT * FROM "Environment" WHERE projectId = ? ORDER BY sortOrder, createdAt`)
+    .all(project.id) as EnvironmentRow[]
+  if (!user.isSuperAdmin) envRows = envRows.filter((e) => e.sensitive === 0)
+  if (envsParam) {
+    const slugs = new Set(
+      envsParam
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean),
+    )
+    envRows = envRows.filter((e) => slugs.has(e.slug))
+  }
+
+  const releases: Array<{ app: string; env: string; releases: ReturnType<typeof publicRelease>[] }> = []
+  for (const app of appRows) {
+    for (const env of envRows) {
+      const rows = db
+        .query(`SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC LIMIT ?`)
+        .all(app.id, env.id, limit) as ReleaseRow[]
+      if (rows.length > 0) {
+        releases.push({ app: app.slug, env: env.slug, releases: rows.map((r) => publicRelease(r, true)) })
+      }
+    }
+  }
+
+  return ok({
+    project: publicProject(project),
+    apps: appRows.map(publicApp),
+    environments: envRows.map(publicEnv),
+    releases,
+  })
+}
+
+export const inspectRoutes = {
+  "/v1/projects/:project/inspect": { GET: route(inspectProject) },
+}

package/server/src/modules/member.ts

@@ -0,0 +1,59 @@
+import { getDb } from "../db/client.ts"
+import type { ProjectMemberRow, ProjectRole, UserRow } from "../db/types.ts"
+import { HttpError, ok, param, readBody, requireString, route } from "../http/response.ts"
+import { requireProjectRole, requireUser } from "../shared/auth.ts"
+import { findProject, findUserByAccount } from "../shared/resolve.ts"
+import { publicMember } from "../shared/serialize.ts"
+
+const ROLES: ProjectRole[] = ["admin", "collaborator", "viewer"]
+
+function listMembers(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+  const rows = getDb()
+    .query(
+      `SELECT m.*, u.email AS email, u.name AS name FROM "ProjectMember" m JOIN "User" u ON u.id = m.userId WHERE m.projectId = ? ORDER BY m.joinedAt`,
+    )
+    .all(project.id) as (ProjectMemberRow & Pick<UserRow, "email" | "name">)[]
+  return ok({ members: rows.map(publicMember) })
+}
+
+async function addMember(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const body = await readBody(req)
+  const account = requireString(body, "account", "用户账号")
+  const role = requireString(body, "role", "成员角色") as ProjectRole
+  if (!ROLES.includes(role)) throw new HttpError(400, "invalid_field", "角色须为 admin、collaborator 或 viewer")
+
+  const target = findUserByAccount(account)
+  const db = getDb()
+  const exists = db.query(`SELECT 1 FROM "ProjectMember" WHERE projectId = ? AND userId = ?`).get(project.id, target.id)
+  if (exists) {
+    db.query(`UPDATE "ProjectMember" SET role = ? WHERE projectId = ? AND userId = ?`).run(role, project.id, target.id)
+  } else {
+    db.query(`INSERT INTO "ProjectMember" (projectId, userId, role) VALUES (?, ?, ?)`).run(project.id, target.id, role)
+  }
+  const row = db
+    .query(
+      `SELECT m.*, u.email AS email, u.name AS name FROM "ProjectMember" m JOIN "User" u ON u.id = m.userId WHERE m.projectId = ? AND m.userId = ?`,
+    )
+    .get(project.id, target.id) as ProjectMemberRow & Pick<UserRow, "email" | "name">
+  return ok({ member: publicMember(row) }, exists ? 200 : 201)
+}
+
+function removeMember(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const target = findUserByAccount(param(req, "account"))
+  getDb().query(`DELETE FROM "ProjectMember" WHERE projectId = ? AND userId = ?`).run(project.id, target.id)
+  return ok({ removed: true })
+}
+
+export const memberRoutes = {
+  "/v1/projects/:project/members": { GET: route(listMembers), POST: route(addMember) },
+  "/v1/projects/:project/members/:account": { DELETE: route(removeMember) },
+}

package/server/src/modules/project.ts

@@ -0,0 +1,98 @@
+import { getDb } from "../db/client.ts"
+import type { ProjectRow } from "../db/types.ts"
+import { HttpError, ok, optionalString, param, readBody, requireString, route } from "../http/response.ts"
+import { requireProjectRole, requireSuperAdmin, requireUser } from "../shared/auth.ts"
+import { SLUG_RE } from "../shared/consts.ts"
+import { findProject } from "../shared/resolve.ts"
+import { publicProject } from "../shared/serialize.ts"
+import { newId, nowSec } from "../shared/utils.ts"
+
+function listProjects(req: Request): Response {
+  const user = requireUser(req)
+  const db = getDb()
+  const rows = user.isSuperAdmin
+    ? (db.query(`SELECT * FROM "Project" ORDER BY createdAt`).all() as ProjectRow[])
+    : (db
+        .query(
+          `SELECT p.* FROM "Project" p JOIN "ProjectMember" m ON m.projectId = p.id WHERE m.userId = ? ORDER BY p.createdAt`,
+        )
+        .all(user.id) as ProjectRow[])
+  return ok({ projects: rows.map(publicProject) })
+}
+
+async function createProject(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  requireSuperAdmin(user)
+  const body = await readBody(req)
+  const slug = requireString(body, "slug", "项目标识")
+  const name = requireString(body, "name", "项目名称")
+  const description = optionalString(body, "description") ?? null
+
+  if (!SLUG_RE.test(slug))
+    throw new HttpError(400, "invalid_field", "项目标识需以小写字母开头，仅含小写字母、数字、连字符")
+
+  const db = getDb()
+  if (db.query(`SELECT 1 FROM "Project" WHERE slug = ?`).get(slug)) {
+    throw new HttpError(409, "conflict", "项目标识已存在")
+  }
+
+  const id = newId()
+  const create = db.transaction(() => {
+    db.query(`INSERT INTO "Project" (id, slug, name, description, createdBy) VALUES (?, ?, ?, ?, ?)`).run(
+      id,
+      slug,
+      name,
+      description,
+      user.id,
+    )
+    db.query(`INSERT INTO "ProjectMember" (projectId, userId, role) VALUES (?, ?, 'admin')`).run(id, user.id)
+  })
+  create()
+
+  const created = db.query(`SELECT * FROM "Project" WHERE id = ?`).get(id) as ProjectRow
+  return ok({ project: publicProject(created) }, 201)
+}
+
+function getProject(req: Request): Response {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "viewer")
+  return ok({ project: publicProject(project) })
+}
+
+async function updateProject(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "admin")
+  const body = await readBody(req)
+  const name = optionalString(body, "name") ?? project.name
+  const description =
+    body.description === undefined ? project.description : (optionalString(body, "description") ?? null)
+
+  const db = getDb()
+  db.query(`UPDATE "Project" SET name = ?, description = ?, updatedAt = ? WHERE id = ?`).run(
+    name,
+    description,
+    nowSec(),
+    project.id,
+  )
+  const updated = db.query(`SELECT * FROM "Project" WHERE id = ?`).get(project.id) as ProjectRow
+  return ok({ project: publicProject(updated) })
+}
+
+function deleteProject(req: Request): Response {
+  const user = requireUser(req)
+  requireSuperAdmin(user)
+  const project = findProject(param(req, "project"))
+  getDb().query(`DELETE FROM "Project" WHERE id = ?`).run(project.id)
+  return ok({ deleted: true })
+}
+
+export const projectRoutes = {
+  "/v1/projects": { GET: route(listProjects), POST: route(createProject) },
+  "/v1/projects/:project": {
+    GET: route(getProject),
+    PATCH: route(updateProject),
+    DELETE: route(deleteProject),
+  },
+}

package/server/src/modules/release.ts

@@ -0,0 +1,328 @@
+import type { Server } from "bun"
+import { getDb } from "../db/client.ts"
+import type { AppRow, EnvironmentRow, ProjectRow, ReleaseRow } from "../db/types.ts"
+import { HttpError, ok, optionalString, param, readBody, route, sseRoute } from "../http/response.ts"
+import { assertEnvAccess, requireAppPrincipal, requireProjectRole, requireUser } from "../shared/auth.ts"
+import { validateAgainstSchema } from "../shared/jsonschema.ts"
+import { findApp, findEnv, findProject } from "../shared/resolve.ts"
+import { bumpSemver, diffChangeKind } from "../shared/semver.ts"
+import { publicRelease } from "../shared/serialize.ts"
+import { isAppToken, isHumanToken, verifyAppToken, verifyHumanToken } from "../shared/token.ts"
+import type { AuthUser } from "../shared/types.ts"
+import { isPlainObject, newId } from "../shared/utils.ts"
+
+type NotifyCallback = () => void
+const watchers = new Map<string, Set<NotifyCallback>>()
+
+function watcherKey(appId: string, envId: string): string {
+  return `${appId}:${envId}`
+}
+
+function subscribe(appId: string, envId: string, cb: NotifyCallback): () => void {
+  const key = watcherKey(appId, envId)
+  let set = watchers.get(key)
+  if (!set) {
+    set = new Set()
+    watchers.set(key, set)
+  }
+  set.add(cb)
+  return () => {
+    watchers.get(key)?.delete(cb)
+  }
+}
+
+function notifyWatchers(appId: string, envId: string): void {
+  for (const cb of watchers.get(watcherKey(appId, envId)) ?? []) cb()
+}
+
+interface Target {
+  project: ProjectRow
+  app: AppRow
+  env: EnvironmentRow
+  appToken: boolean
+}
+
+function authorizeRead(req: Request): Target {
+  const project = findProject(param(req, "project"))
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+
+  const header = req.headers.get("authorization") ?? ""
+  const token = header.replace(/^Bearer\s+/i, "").trim()
+
+  if (isAppToken(token)) {
+    const principal = requireAppPrincipal(req)
+    if (principal.appId !== app.id || principal.environmentId !== env.id) {
+      throw new HttpError(403, "forbidden", "该令牌无权访问此应用环境")
+    }
+    return { project, app, env, appToken: true }
+  }
+
+  const user = requireUser(req)
+  requireProjectRole(user, project.id, "viewer")
+  assertEnvAccess(user, env)
+  return { project, app, env, appToken: false }
+}
+
+function authorizeWatch(req: Request): Target {
+  const project = findProject(param(req, "project"))
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+
+  const authHeader = req.headers.get("authorization")
+  const queryToken = new URL(req.url).searchParams.get("token")
+  const raw = authHeader ? (authHeader.match(/^Bearer\s+(.+)$/i)?.[1]?.trim() ?? "") : (queryToken?.trim() ?? "")
+
+  if (!raw) throw new HttpError(401, "unauthorized", "缺少访问凭证")
+
+  if (isAppToken(raw)) {
+    const tokenRow = verifyAppToken(raw)
+    if (!tokenRow) throw new HttpError(401, "unauthorized", "应用令牌无效或已撤销")
+    if (tokenRow.appId !== app.id || tokenRow.environmentId !== env.id) {
+      throw new HttpError(403, "forbidden", "该令牌无权访问此应用环境")
+    }
+    return { project, app, env, appToken: true }
+  }
+
+  if (isHumanToken(raw)) {
+    const userRow = verifyHumanToken(raw)
+    if (!userRow) throw new HttpError(401, "unauthorized", "凭证无效或已过期，请重新登录")
+    const user: AuthUser = {
+      id: userRow.id,
+      email: userRow.email,
+      name: userRow.name,
+      isSuperAdmin: userRow.isSuperAdmin === 1,
+    }
+    requireProjectRole(user, project.id, "viewer")
+    assertEnvAccess(user, env)
+    return { project, app, env, appToken: false }
+  }
+
+  throw new HttpError(401, "unauthorized", "凭证格式无效")
+}
+
+function aliasToRange(spec: string): string | null {
+  if (spec.startsWith("compatible-")) return `^${spec.slice("compatible-".length)}`
+  if (spec.startsWith("approx-")) return `~${spec.slice("approx-".length)}`
+  return null
+}
+
+function publishedReleases(appId: string, envId: string): ReleaseRow[] {
+  return getDb()
+    .query(`SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND status = 'published'`)
+    .all(appId, envId) as ReleaseRow[]
+}
+
+function resolveByRange(appId: string, envId: string, range: string): ReleaseRow | null {
+  const matched = publishedReleases(appId, envId).filter((r) => Bun.semver.satisfies(r.semver, range))
+  if (matched.length === 0) return null
+  matched.sort((a, b) => Bun.semver.order(b.semver, a.semver))
+  return matched[0] ?? null
+}
+
+function listReleases(req: Request): Response {
+  const { app, env, appToken } = authorizeRead(req)
+  const sql = appToken
+    ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND status = 'published' ORDER BY createdAt DESC`
+    : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC`
+  const rows = getDb().query(sql).all(app.id, env.id) as ReleaseRow[]
+  return ok({ releases: rows.map((r) => publicRelease(r, false)) })
+}
+
+function resolveRelease(req: Request): Response {
+  const { app, env, appToken } = authorizeRead(req)
+  const spec = param(req, "spec")
+
+  if (spec === "latest") {
+    const matched = publishedReleases(app.id, env.id)
+    if (matched.length === 0) throw new HttpError(404, "release_not_found", "该应用环境尚无已发布版本")
+    matched.sort((a, b) => Bun.semver.order(b.semver, a.semver))
+    return ok({ release: publicRelease(matched[0] as ReleaseRow, true) })
+  }
+
+  const range = aliasToRange(spec)
+  if (range !== null) {
+    const row = resolveByRange(app.id, env.id, range)
+    if (!row) throw new HttpError(404, "release_not_found", `没有匹配 ${range} 的已发布版本`)
+    return ok({ release: publicRelease(row, true) })
+  }
+
+  const sql = appToken
+    ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ? AND status = 'published'`
+    : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ?`
+  const row = getDb().query(sql).get(app.id, env.id, spec) as ReleaseRow | null
+  if (!row) throw new HttpError(404, "release_not_found", `版本不存在：${spec}`)
+  return ok({ release: publicRelease(row, true) })
+}
+
+function authorizePublish(req: Request): { app: AppRow; env: EnvironmentRow } {
+  const project = findProject(param(req, "project"))
+  const app = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+  const user = requireUser(req)
+  requireProjectRole(user, project.id, "admin")
+  assertEnvAccess(user, env)
+  return { app, env }
+}
+
+function setStatus(req: Request, status: "published" | "unpublished"): Response {
+  const { app, env } = authorizePublish(req)
+  const semver = param(req, "semver")
+  const db = getDb()
+  const row = db
+    .query(`SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ?`)
+    .get(app.id, env.id, semver) as ReleaseRow | null
+  if (!row) throw new HttpError(404, "release_not_found", `版本不存在：${semver}`)
+  if (row.status === status) {
+    throw new HttpError(
+      409,
+      "status_unchanged",
+      status === "published" ? "该版本已是已发布状态" : "该版本已是未发布状态",
+    )
+  }
+  db.query(`UPDATE "Release" SET status = ? WHERE id = ?`).run(status, row.id)
+  const updated = db.query(`SELECT * FROM "Release" WHERE id = ?`).get(row.id) as ReleaseRow
+  notifyWatchers(app.id, env.id)
+  return ok({ release: publicRelease(updated, false) })
+}
+
+function publishRelease(req: Request): Response {
+  return setStatus(req, "published")
+}
+
+function unpublishRelease(req: Request): Response {
+  return setStatus(req, "unpublished")
+}
+
+const WATCH_DEADLINE_MS = 30 * 60 * 1000
+
+function resolveSpecSnapshot(target: Target, spec: string): ReturnType<typeof publicRelease> | null {
+  try {
+    if (spec === "latest") {
+      const matched = publishedReleases(target.app.id, target.env.id)
+      if (matched.length === 0) return null
+      matched.sort((a, b) => Bun.semver.order(b.semver, a.semver))
+      return publicRelease(matched[0] as ReleaseRow, true)
+    }
+    const range = aliasToRange(spec)
+    if (range !== null) {
+      const row = resolveByRange(target.app.id, target.env.id, range)
+      return row ? publicRelease(row, true) : null
+    }
+    const sql = target.appToken
+      ? `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ? AND status = 'published'`
+      : `SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? AND semver = ?`
+    const row = getDb().query(sql).get(target.app.id, target.env.id, spec) as ReleaseRow | null
+    return row ? publicRelease(row, true) : null
+  } catch {
+    return null
+  }
+}
+
+function watchRelease(req: Request, server: Server<undefined>): Response {
+  const target = authorizeWatch(req)
+  const spec = param(req, "spec")
+  server.timeout(req, 0)
+
+  return new Response(
+    async function* () {
+      const start = Date.now()
+      const cleanup = { fn: null as (() => void) | null }
+
+      try {
+        yield `data: ${JSON.stringify({ release: resolveSpecSnapshot(target, spec) })}\n\n`
+
+        while (Date.now() - start < WATCH_DEADLINE_MS) {
+          await new Promise<void>((done) => {
+            let fired = false
+            const fire = () => {
+              if (!fired) {
+                fired = true
+                done()
+              }
+            }
+            const remaining = WATCH_DEADLINE_MS - (Date.now() - start)
+            const timer = setTimeout(fire, remaining)
+            cleanup.fn = subscribe(target.app.id, target.env.id, () => {
+              clearTimeout(timer)
+              fire()
+            })
+          })
+          cleanup.fn?.()
+          cleanup.fn = null
+
+          if (Date.now() - start < WATCH_DEADLINE_MS) {
+            yield `data: ${JSON.stringify({ release: resolveSpecSnapshot(target, spec) })}\n\n`
+          }
+        }
+
+        yield `event: timeout\ndata: {}\n\n`
+      } finally {
+        cleanup.fn?.()
+      }
+    },
+    {
+      headers: {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "X-Accel-Buffering": "no",
+      },
+    },
+  )
+}
+
+async function createRelease(req: Request): Promise<Response> {
+  const user = requireUser(req)
+  const project = findProject(param(req, "project"))
+  requireProjectRole(user, project.id, "collaborator")
+  const app: AppRow = findApp(project.id, param(req, "app"))
+  const env = findEnv(project.id, param(req, "env"))
+  assertEnvAccess(user, env)
+
+  const body = await readBody(req)
+  if (!isPlainObject(body.config)) throw new HttpError(400, "invalid_field", "config 必须是 JSON 对象")
+  const config = body.config as Record<string, unknown>
+  const notes = optionalString(body, "notes") ?? null
+  const base = body.base === undefined || body.base === null ? null : String(body.base)
+
+  const errors = validateAgainstSchema(JSON.parse(app.schema), config)
+  if (errors.length > 0) {
+    throw new HttpError(
+      422,
+      "schema_invalid",
+      `配置不符合应用 schema：${errors.map((e) => `${e.path} ${e.message}`).join("；")}`,
+    )
+  }
+
+  const db = getDb()
+  const latest = db
+    .query(`SELECT * FROM "Release" WHERE appId = ? AND environmentId = ? ORDER BY createdAt DESC LIMIT 1`)
+    .get(app.id, env.id) as ReleaseRow | null
+
+  if (latest && base !== latest.semver) {
+    throw new HttpError(409, "stale_base", `推送基线已过期，当前最新版本为 ${latest.semver}，请先拉取最新配置`)
+  }
+  if (!latest && base !== null) {
+    throw new HttpError(409, "stale_base", "该应用环境暂无版本，请基于空配置创建首个版本")
+  }
+
+  const prevConfig = latest ? (JSON.parse(latest.snapshot) as Record<string, unknown>) : null
+  const kind = diffChangeKind(prevConfig, config)
+  if (!kind) throw new HttpError(400, "no_change", "配置无变化，无需创建新版本")
+
+  const semver = bumpSemver(latest?.semver ?? null, kind)
+  const id = newId()
+  db.query(
+    `INSERT INTO "Release" (id, appId, environmentId, semver, changeKind, status, notes, snapshot, schemaSnapshot, createdBy) VALUES (?, ?, ?, ?, ?, 'unpublished', ?, ?, ?, ?)`,
+  ).run(id, app.id, env.id, semver, kind, notes, JSON.stringify(config), app.schema, user.id)
+  const created = db.query(`SELECT * FROM "Release" WHERE id = ?`).get(id) as ReleaseRow
+  return ok({ release: publicRelease(created, true) }, 201)
+}
+
+export const releaseRoutes = {
+  "/v1/projects/:project/apps/:app/envs/:env/releases": { GET: route(listReleases), POST: route(createRelease) },
+  "/v1/projects/:project/apps/:app/envs/:env/releases/:spec": { GET: route(resolveRelease) },
+  "/v1/projects/:project/apps/:app/envs/:env/releases/:spec/watch": { GET: sseRoute(watchRelease) },
+  "/v1/projects/:project/apps/:app/envs/:env/releases/:semver/publish": { POST: route(publishRelease) },
+  "/v1/projects/:project/apps/:app/envs/:env/releases/:semver/unpublish": { POST: route(unpublishRelease) },
+}