npm - create-interview-cockpit - Versions diffs - 0.23.1 → 0.24.0 - Mend

create-interview-cockpit 0.23.1 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/template/client/src/components/LabsPanel.tsx +25 -1
package/template/client/src/components/Sidebar.tsx +268 -49
package/template/client/src/infraLab.ts +666 -2
package/template/cockpit.json +1 -1
package/template/server/src/google-drive.ts +7 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-interview-cockpit",
-  "version": "0.23.1",
+  "version": "0.24.0",
   "description": "Scaffold a personal AI-powered interview prep cockpit",
   "type": "module",
   "bin": {

package/template/client/src/components/LabsPanel.tsx CHANGED Viewed

@@ -1,6 +1,12 @@
 import { useState } from "react";
 import { useStore } from "../store";
-import { DOCKER_DEEP_DIVE_LAB, parseInfraLabWorkspace } from "../infraLab";
+import {
+  AZURE_NETWORK_ACL_BLANK_TEMPLATE,
+  AZURE_NETWORK_ACL_DOCKER_LAB,
+  DOCKER_DEEP_DIVE_LAB,
+  POSTGRES_DOCKER_PROVIDER_LAB,
+  parseInfraLabWorkspace,
+} from "../infraLab";
 import {
   DEFAULT_GHA_LAB,
   parseGhaLabWorkspace,
@@ -641,6 +647,24 @@ export default function LabsPanel() {
                   "Dockerfile + Compose + Node API + Redis, with command-line practice",
                 onClick: () => openInfraLab(DOCKER_DEEP_DIVE_LAB),
               },
+              {
+                label: "Postgres DB in Docker",
+                description:
+                  "Terraform Docker provider deploys a local PostgreSQL database container",
+                onClick: () => openInfraLab(POSTGRES_DOCKER_PROVIDER_LAB),
+              },
+              {
+                label: "Azure ACL Failure (Docker)",
+                description:
+                  "Reproduce stale Azure subnet allowlists locally with Terraform + Docker mocks",
+                onClick: () => openInfraLab(AZURE_NETWORK_ACL_DOCKER_LAB),
+              },
+              {
+                label: "Azure ACL Blank Template",
+                description:
+                  "Same Azure-style Terraform/Docker file layout, but every file starts empty",
+                onClick: () => openInfraLab(AZURE_NETWORK_ACL_BLANK_TEMPLATE),
+              },
               {
                 label: "Enterprise BFF Docker Stack",
                 description:

package/template/client/src/components/Sidebar.tsx CHANGED Viewed

@@ -1,6 +1,7 @@
 import { useState, useEffect, useRef, Fragment } from "react";
 import { useStore } from "../store";
 import type { Question } from "../types";
+import type { DriveFolder } from "../api";
 import * as api from "../api";
 import FileAttachments from "./FileAttachments";
 import WorkspaceSwitcher from "./WorkspaceSwitcher";
@@ -116,6 +117,8 @@ export default function Sidebar() {
     driveRootFolders,
     loadingDriveFolders,
     fetchDriveRootFolders,
+    fetchDriveSubfolders,
+    createDriveSubfolder,
     selectDriveSubfolder,
     clearDriveSubfolder,
     syncWorkspace,
@@ -214,6 +217,10 @@ export default function Sidebar() {
   const isAtDriveFolderRoot = isDriveWs && !currentSubFolder;
   const canSyncDriveFolder =
     !!activeWs?.driveConfig?.folderId && !isAtDriveFolderRoot;
+  const canPushLocalDrive =
+    activeWs?.type === "local" && !!activeWs.driveConfig?.folderId;
+  const canPushDriveDestination =
+    !!activeWs?.driveConfig?.folderId && (!isDriveWs || !!currentSubFolder);
   const driveSyncTargetName =
     currentSubFolder?.name ?? activeWs?.driveConfig?.folderName ?? "Drive";
   const [navigating, setNavigating] = useState(false);
@@ -224,6 +231,15 @@ export default function Sidebar() {
   const [topicDriveStatus, setTopicDriveStatus] = useState<
     Record<string, string>
   >({});
+  const [pushPicker, setPushPicker] = useState<{
+    mode: "workspace" | "topic";
+    topicId?: string;
+    folders: DriveFolder[];
+    loading: boolean;
+  } | null>(null);
+  const [pushPickerNewFolderName, setPushPickerNewFolderName] = useState("");
+  const [pushPickerCreatingFolder, setPushPickerCreatingFolder] =
+    useState(false);
   const [wsFilesExpanded, setWsFilesExpanded] = useState(true);
   const [driveFileSyncStatus, setDriveFileSyncStatus] = useState<string | null>(
     null,
@@ -277,15 +293,12 @@ export default function Sidebar() {
     }
   };
-  const handlePushToDrive = async () => {
+  const pushWorkspaceToDrive = async (targetFolderId: string) => {
     if (!activeWorkspaceId || !activeWs?.driveConfig?.folderId) return;
     setPushing(true);
     setDriveFileSyncStatus(null);
     try {
-      const result = await exportWorkspace(
-        activeWorkspaceId,
-        activeWs.driveConfig.subFolderId,
-      );
+      const result = await exportWorkspace(activeWorkspaceId, targetFolderId);
       if ("needsAuth" in result && result.needsAuth) {
         window.location.href = result.authUrl;
         return;
@@ -302,58 +315,100 @@ export default function Sidebar() {
     }
   };
-  const setTopicStatus = (topicId: string, value: string) => {
-    setTopicDriveStatus((prev) => ({ ...prev, [topicId]: value }));
-  };
-  const handlePullTopicFromDrive = async (topicId: string) => {
+  const pushTopicToDrive = async (topicId: string, targetFolderId: string) => {
     if (!activeWorkspaceId || !activeWs?.driveConfig?.folderId) return;
-    setTopicSyncingId(topicId);
-    setTopicStatus(topicId, "Pulling topic from Drive…");
+    setTopicPushingId(topicId);
+    setTopicStatus(topicId, "Pushing topic to Drive…");
     try {
-      const result = await syncTopic(activeWorkspaceId, topicId);
+      const result = await exportTopic(activeWorkspaceId, topicId, targetFolderId);
       if ("needsAuth" in result && result.needsAuth) {
         window.location.href = result.authUrl;
         return;
       }
-      const firstError = result.errors[0];
       setTopicStatus(
         topicId,
         result.errors.length > 0
-          ? `Topic pull finished with ${result.errors.length} error${result.errors.length === 1 ? "" : "s"}. ${firstError ? `First: ${firstError}` : ""}`
-          : `Pulled ${result.filesImported} file${result.filesImported === 1 ? "" : "s"} into this topic.`,
+          ? `Topic push finished with ${result.errors.length} error${result.errors.length === 1 ? "" : "s"}.`
+          : `Pushed ${result.questionsExported} question${result.questionsExported === 1 ? "" : "s"} and ${result.filesExported} file${result.filesExported === 1 ? "" : "s"} to Drive.`,
       );
     } catch (err: any) {
-      setTopicStatus(topicId, err?.message || "Topic pull failed.");
+      setTopicStatus(topicId, err?.message || "Topic push failed.");
     } finally {
-      setTopicSyncingId(null);
+      setTopicPushingId(null);
     }
   };
-  const handlePushTopicToDrive = async (topicId: string) => {
+  const openPushDestinationPicker = async (
+    mode: "workspace" | "topic",
+    topicId?: string,
+  ) => {
     if (!activeWorkspaceId || !activeWs?.driveConfig?.folderId) return;
-    setTopicPushingId(topicId);
-    setTopicStatus(topicId, "Pushing topic to Drive…");
+    setPushPicker({ mode, topicId, folders: [], loading: true });
     try {
-      const result = await exportTopic(
-        activeWorkspaceId,
-        topicId,
-        activeWs.driveConfig.subFolderId,
-      );
+      const folders = await fetchDriveSubfolders(activeWorkspaceId);
+      setPushPicker({ mode, topicId, folders, loading: false });
+    } catch (err: any) {
+      setPushPicker({ mode, topicId, folders: [], loading: false });
+      const message = err?.message || "Failed to load Drive folders.";
+      if (mode === "topic" && topicId) setTopicStatus(topicId, message);
+      else setDriveFileSyncStatus(message);
+    }
+  };
+  const handlePushToDrive = () => {
+    if (!activeWs?.driveConfig?.folderId) return;
+    if (currentSubFolder) {
+      void pushWorkspaceToDrive(currentSubFolder.id);
+      return;
+    }
+    void openPushDestinationPicker("workspace");
+  };
+  const handlePushTopicToDrive = (topicId: string) => {
+    if (!activeWs?.driveConfig?.folderId) return;
+    if (currentSubFolder) {
+      void pushTopicToDrive(topicId, currentSubFolder.id);
+      return;
+    }
+    void openPushDestinationPicker("topic", topicId);
+  };
+  const handlePushPickerDestination = (targetFolderId: string) => {
+    const picker = pushPicker;
+    if (!picker) return;
+    setPushPicker(null);
+    if (picker.mode === "topic" && picker.topicId) {
+      void pushTopicToDrive(picker.topicId, targetFolderId);
+    } else {
+      void pushWorkspaceToDrive(targetFolderId);
+    }
+  };
+  const setTopicStatus = (topicId: string, value: string) => {
+    setTopicDriveStatus((prev) => ({ ...prev, [topicId]: value }));
+  };
+  const handlePullTopicFromDrive = async (topicId: string) => {
+    if (!activeWorkspaceId || !activeWs?.driveConfig?.folderId) return;
+    setTopicSyncingId(topicId);
+    setTopicStatus(topicId, "Pulling topic from Drive…");
+    try {
+      const result = await syncTopic(activeWorkspaceId, topicId);
       if ("needsAuth" in result && result.needsAuth) {
         window.location.href = result.authUrl;
         return;
       }
+      const firstError = result.errors[0];
       setTopicStatus(
         topicId,
         result.errors.length > 0
-          ? `Topic push finished with ${result.errors.length} error${result.errors.length === 1 ? "" : "s"}.`
-          : `Pushed ${result.questionsExported} question${result.questionsExported === 1 ? "" : "s"} and ${result.filesExported} file${result.filesExported === 1 ? "" : "s"} to Drive.`,
+          ? `Topic pull finished with ${result.errors.length} error${result.errors.length === 1 ? "" : "s"}. ${firstError ? `First: ${firstError}` : ""}`
+          : `Pulled ${result.filesImported} file${result.filesImported === 1 ? "" : "s"} into this topic.`,
       );
     } catch (err: any) {
-      setTopicStatus(topicId, err?.message || "Topic push failed.");
+      setTopicStatus(topicId, err?.message || "Topic pull failed.");
     } finally {
-      setTopicPushingId(null);
+      setTopicSyncingId(null);
     }
   };
@@ -1020,7 +1075,142 @@ export default function Sidebar() {
   };
   return (
-    <aside className="w-72 border-r border-slate-800 flex flex-col bg-slate-900/50 shrink-0">
+    <>
+      {pushPicker && (
+        <div
+          className="fixed inset-0 z-50 flex items-center justify-center bg-black/60"
+          onClick={() => !pushPicker.loading && setPushPicker(null)}
+        >
+          <div
+            className="w-80 rounded-xl border border-slate-700 bg-slate-900 p-4 shadow-2xl"
+            onClick={(e) => e.stopPropagation()}
+          >
+            <div className="mb-3 flex items-center justify-between gap-3">
+              <div>
+                <h3 className="text-sm font-semibold text-slate-200">
+                  Choose Drive destination
+                </h3>
+                <p className="mt-0.5 text-[11px] text-slate-500">
+                  {pushPicker.mode === "topic"
+                    ? "Push this topic into the selected Drive folder."
+                    : "Push this local workspace into the selected Drive folder."}
+                </p>
+              </div>
+              <button
+                onClick={() => setPushPicker(null)}
+                className="text-slate-500 hover:text-slate-300"
+                disabled={pushPicker.loading}
+              >
+                <X className="h-4 w-4" />
+              </button>
+            </div>
+            {pushPicker.loading ? (
+              <div className="flex items-center justify-center gap-2 py-6 text-xs text-slate-400">
+                <Loader2 className="h-4 w-4 animate-spin" />
+                Loading Drive folders…
+              </div>
+            ) : (
+              <>
+                <div className="max-h-52 space-y-1 overflow-y-auto">
+                  {activeWs?.driveConfig?.folderId && (
+                    <button
+                      type="button"
+                      onClick={() =>
+                        handlePushPickerDestination(activeWs.driveConfig!.folderId)
+                      }
+                      className="flex w-full items-center gap-2 rounded-lg px-3 py-2 text-left text-xs text-slate-300 hover:bg-slate-800"
+                    >
+                      <FolderOpen className="h-3.5 w-3.5 shrink-0 text-slate-500" />
+                      <span className="min-w-0 flex-1 truncate italic text-slate-400">
+                        {activeWs.driveConfig.folderName || "Linked root folder"}
+                      </span>
+                    </button>
+                  )}
+                  {pushPicker.folders.map((folder) => (
+                    <button
+                      key={folder.id}
+                      type="button"
+                      onClick={() => handlePushPickerDestination(folder.id)}
+                      className="flex w-full items-center gap-2 rounded-lg px-3 py-2 text-left text-xs text-slate-200 hover:bg-slate-800"
+                    >
+                      <FolderOpen className="h-3.5 w-3.5 shrink-0 text-cyan-400" />
+                      <span className="min-w-0 flex-1 truncate">
+                        {folder.name}
+                      </span>
+                    </button>
+                  ))}
+                  {pushPicker.folders.length === 0 && (
+                    <p className="px-3 py-2 text-xs text-slate-500">
+                      No subfolders found. Choose the linked root folder above
+                      or create a new folder below.
+                    </p>
+                  )}
+                </div>
+                <form
+                  className="mt-3 flex gap-2"
+                  onSubmit={async (e) => {
+                    e.preventDefault();
+                    const name = pushPickerNewFolderName.trim();
+                    if (!name || !activeWorkspaceId) return;
+                    setPushPickerCreatingFolder(true);
+                    try {
+                      const created = await createDriveSubfolder(
+                        activeWorkspaceId,
+                        name,
+                      );
+                      if ("needsAuth" in created) {
+                        window.location.href = created.authUrl;
+                        return;
+                      }
+                      setPushPicker((prev) =>
+                        prev
+                          ? { ...prev, folders: [...prev.folders, created] }
+                          : prev,
+                      );
+                      setPushPickerNewFolderName("");
+                    } catch (err: any) {
+                      const message = err?.message || "Failed to create folder";
+                      if (pushPicker.mode === "topic" && pushPicker.topicId) {
+                        setTopicStatus(pushPicker.topicId, message);
+                      } else {
+                        setDriveFileSyncStatus(message);
+                      }
+                    } finally {
+                      setPushPickerCreatingFolder(false);
+                    }
+                  }}
+                >
+                  <input
+                    value={pushPickerNewFolderName}
+                    onChange={(e) => setPushPickerNewFolderName(e.target.value)}
+                    placeholder="New folder name…"
+                    className="min-w-0 flex-1 rounded-lg border border-slate-700 bg-slate-800 px-2 py-1.5 text-xs text-slate-200 placeholder:text-slate-500 focus:border-cyan-500 focus:outline-none"
+                  />
+                  <button
+                    type="submit"
+                    disabled={
+                      !pushPickerNewFolderName.trim() ||
+                      pushPickerCreatingFolder
+                    }
+                    className="flex items-center gap-1 rounded-lg bg-cyan-700 px-2.5 py-1.5 text-xs font-medium text-white hover:bg-cyan-600 disabled:opacity-40"
+                  >
+                    {pushPickerCreatingFolder ? (
+                      <Loader2 className="h-3 w-3 animate-spin" />
+                    ) : (
+                      <Plus className="h-3 w-3" />
+                    )}
+                    Create
+                  </button>
+                </form>
+              </>
+            )}
+          </div>
+        </div>
+      )}
+      <aside className="w-72 border-r border-slate-800 flex flex-col bg-slate-900/50 shrink-0">
       {/* Workspace switcher */}
       <WorkspaceSwitcher />
@@ -1060,6 +1250,32 @@ export default function Sidebar() {
                 sync from inside that selected folder.
               </p>
             )}
+            {canPushLocalDrive && (
+              <div className="mt-2 space-y-1.5">
+                <p className="text-[10px] text-slate-600">
+                  Push local workspace to Drive
+                </p>
+                <button
+                  type="button"
+                  onClick={handlePushToDrive}
+                  disabled={pushing}
+                  className="flex w-full items-center justify-center gap-1 rounded-md border border-cyan-500/20 bg-cyan-500/10 px-2 py-1 text-[11px] font-medium text-cyan-300 transition-colors hover:bg-cyan-500/15 disabled:opacity-40 disabled:hover:bg-cyan-500/10"
+                  title="Choose a Drive folder and push topics, questions, and workspace files into it"
+                >
+                  {pushing ? (
+                    <Loader2 className="w-3 h-3 animate-spin" />
+                  ) : (
+                    <Upload className="w-3 h-3" />
+                  )}
+                  {pushing ? "Pushing…" : "Choose folder & push"}
+                </button>
+                {driveFileSyncStatus && (
+                  <p className="text-[10px] leading-relaxed text-slate-500">
+                    {driveFileSyncStatus}
+                  </p>
+                )}
+              </div>
+            )}
             {canSyncDriveFolder && (
               <div className="mt-2 space-y-1.5">
                 <p className="text-[10px] text-slate-600">
@@ -1393,13 +1609,13 @@ export default function Sidebar() {
                                 <Download className="w-3 h-3" /> Download
                               </button>
-                              {canSyncDriveFolder && (
+                              {canPushDriveDestination && (
                                 <>
                                   <div className="border-t border-slate-700 my-0.5" />
                                   <button
                                     onClick={() => {
                                       setOpenMenuTopicId(null);
-                                      void handlePushTopicToDrive(topic.id);
+                                      handlePushTopicToDrive(topic.id);
                                     }}
                                     disabled={topicBusy || pushing || syncing}
                                     className="w-full flex items-center gap-2 px-3 py-1.5 text-xs text-cyan-300 hover:bg-slate-700 hover:text-cyan-200 disabled:opacity-50 transition-colors"
@@ -1411,21 +1627,23 @@ export default function Sidebar() {
                                     )}
                                     Push topic
                                   </button>
-                                  <button
-                                    onClick={() => {
-                                      setOpenMenuTopicId(null);
-                                      void handlePullTopicFromDrive(topic.id);
-                                    }}
-                                    disabled={topicBusy || pushing || syncing}
-                                    className="w-full flex items-center gap-2 px-3 py-1.5 text-xs text-slate-300 hover:bg-slate-700 hover:text-cyan-300 disabled:opacity-50 transition-colors"
-                                  >
-                                    {topicSyncingId === topic.id ? (
-                                      <Loader2 className="w-3 h-3 animate-spin" />
-                                    ) : (
-                                      <RefreshCw className="w-3 h-3" />
-                                    )}
-                                    Pull topic
-                                  </button>
+                                  {canSyncDriveFolder && (
+                                    <button
+                                      onClick={() => {
+                                        setOpenMenuTopicId(null);
+                                        void handlePullTopicFromDrive(topic.id);
+                                      }}
+                                      disabled={topicBusy || pushing || syncing}
+                                      className="w-full flex items-center gap-2 px-3 py-1.5 text-xs text-slate-300 hover:bg-slate-700 hover:text-cyan-300 disabled:opacity-50 transition-colors"
+                                    >
+                                      {topicSyncingId === topic.id ? (
+                                        <Loader2 className="w-3 h-3 animate-spin" />
+                                      ) : (
+                                        <RefreshCw className="w-3 h-3" />
+                                      )}
+                                      Pull topic
+                                    </button>
+                                  )}
                                 </>
                               )}
@@ -1555,6 +1773,7 @@ export default function Sidebar() {
             })}
         </div>
       )}
-    </aside>
+      </aside>
+    </>
   );
 }

package/template/client/src/infraLab.ts CHANGED Viewed

@@ -370,6 +370,662 @@ setInterval(async () => {
   },
 };
+export const POSTGRES_DOCKER_PROVIDER_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "Postgres Docker Provider Lab",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: {
+    "README.md": `# Postgres Docker Provider Lab
+This lab is a clearer Terraform + Docker mental model:
+1. Terraform uses the Docker provider.
+2. Terraform pulls the Postgres Docker image.
+3. Terraform creates a Docker volume for database files.
+4. Terraform creates a running Postgres container during \`terraform apply\`.
+5. Terraform removes the container during \`terraform destroy\`.
+In this lab, Docker is the local infrastructure platform and Postgres is the deployed infrastructure.
+## Prerequisites
+- Docker Desktop / Docker Engine must already be running.
+- The first \`terraform init\` downloads the Docker Terraform provider.
+## Run it
+Use the Console tab one command at a time:
+1. \`terraform init\`
+2. \`terraform plan -out=tfplan\`
+3. \`terraform apply -auto-approve\`
+4. \`terraform output\`
+5. \`docker ps\`
+6. \`docker exec terraform-postgres-db pg_isready -U appuser -d appdb\`
+7. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "select current_database(), current_user;"\`
+## Create a table
+After apply succeeds, try these one at a time:
+1. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "create table if not exists notes (id serial primary key, body text not null);"\`
+2. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "insert into notes (body) values ('hello from terraform-managed postgres');"\`
+3. \`docker exec -e PGPASSWORD=local-dev-password terraform-postgres-db psql -U appuser -d appdb -c "select * from notes;"\`
+## Change something
+Edit \`variables.tf\`, for example change \`host_port\` from \`5433\` to \`5434\`, then run:
+1. \`terraform plan -out=tfplan\`
+2. \`terraform apply -auto-approve\`
+3. \`terraform output\`
+## Clean up
+Run:
+\`terraform destroy -auto-approve\`
+The named Docker volume is also Terraform-managed, so destroying the lab removes the database data volume too.
+## Mental model
+This is IaC [Infrastructure as Code] managing local Docker resources:
+- \`provider.tf\` tells Terraform how to talk to Docker.
+- \`main.tf\` declares Docker resources: image, volume, container.
+- \`terraform apply\` makes Docker match that desired state.
+- \`outputs.tf\` prints useful connection details.
+So this is not "Docker deployed to Docker". It is Terraform deploying a Postgres database container into local Docker.
+`,
+    "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0"
+    }
+  }
+}
+provider "docker" {}
+`,
+    "variables.tf": `variable "container_name" {
+  description = "Name for the local Postgres Docker container."
+  type        = string
+  default     = "terraform-postgres-db"
+}
+variable "host_port" {
+  description = "Host port published to your machine for Postgres connections."
+  type        = number
+  default     = 5433
+}
+variable "postgres_version" {
+  description = "Postgres Docker image version."
+  type        = string
+  default     = "16-alpine"
+}
+variable "database_name" {
+  description = "Database created by the Postgres image on first startup."
+  type        = string
+  default     = "appdb"
+}
+variable "database_user" {
+  description = "Database user created by the Postgres image on first startup."
+  type        = string
+  default     = "appuser"
+}
+variable "database_password" {
+  description = "Local development password for the database user."
+  type        = string
+  default     = "local-dev-password"
+  sensitive   = true
+}
+`,
+    "main.tf": `resource "docker_image" "postgres" {
+  name         = "postgres:\${var.postgres_version}"
+  keep_locally = true
+}
+resource "docker_volume" "postgres_data" {
+  name = "\${var.container_name}-data"
+}
+resource "docker_container" "postgres" {
+  name    = var.container_name
+  image   = docker_image.postgres.image_id
+  restart = "unless-stopped"
+  env = [
+    "POSTGRES_DB=\${var.database_name}",
+    "POSTGRES_USER=\${var.database_user}",
+    "POSTGRES_PASSWORD=\${var.database_password}",
+    "PGDATA=/var/lib/postgresql/data/pgdata"
+  ]
+  ports {
+    internal = 5432
+    external = var.host_port
+  }
+  volumes {
+    volume_name    = docker_volume.postgres_data.name
+    container_path = "/var/lib/postgresql/data"
+  }
+  healthcheck {
+    test         = ["CMD-SHELL", "pg_isready -U \${var.database_user} -d \${var.database_name}"]
+    interval     = "5s"
+    timeout      = "3s"
+    start_period = "10s"
+    retries      = 10
+  }
+}
+`,
+    "outputs.tf": `output "container_name" {
+  value = docker_container.postgres.name
+}
+output "host" {
+  value = "localhost"
+}
+output "port" {
+  value = var.host_port
+}
+output "database_name" {
+  value = var.database_name
+}
+output "database_user" {
+  value = var.database_user
+}
+output "docker_exec_psql" {
+  value = "docker exec -e PGPASSWORD=local-dev-password \${docker_container.postgres.name} psql -U \${var.database_user} -d \${var.database_name} -c 'select current_database(), current_user;'"
+}
+output "connection_string" {
+  value     = "postgresql://\${var.database_user}:\${var.database_password}@localhost:\${var.host_port}/\${var.database_name}"
+  sensitive = true
+}
+`,
+  },
+};
+const AZURE_NETWORK_ACL_FILE_NAMES = [
+  "README.md",
+  "provider.tf",
+  "variables.tf",
+  "main.tf",
+  "outputs.tf",
+  "tfvars/dev.wu3.tfvars",
+  "modules/keyvault/main.tf",
+  "modules/storage-account/main.tf",
+  "modules/eventhub/main.tf",
+  "apps/azure-resource-mock/Dockerfile",
+  "apps/azure-resource-mock/server.js",
+];
+export const AZURE_NETWORK_ACL_DOCKER_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "Azure Network ACL Failure Lab",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: {
+    "README.md": `# Azure Network ACL Failure Lab — Local Docker Edition
+This lab recreates a common Azure Terraform failure without requiring an Azure subscription.
+Terraform still has the same shape as the real system:
+1. **tfvars** provides environment-specific values.
+2. **variables.tf** declares the inputs.
+3. **main.tf** wires those inputs into modules.
+4. Each module applies network lock-down rules from the same \`virtual_networks_allowed\` list.
+5. Docker containers stand in for Azure Key Vault, Storage Account, and Event Hub.
+The lab starts broken on purpose. The DEV deployment subscription is:
+- \`d05d3a9b-68eb-4dea-9f1c-208dc705ce2d\`
+But the subnet allowlist in \`tfvars/dev.wu3.tfvars\` points at the old platform networking subscription:
+- \`e2cbae49-43fe-49c9-b9e5-fdba61ccb575\`
+That reproduces the real bug chain:
+> New DEV resources are being deployed, but the security whitelist still points at old DEV networking.
+## Run the failure
+Use the Console tab one command at a time:
+1. \`terraform init\`
+2. \`terraform plan -var-file=tfvars/dev.wu3.tfvars -out=tfplan\`
+Terraform should fail before it starts the mock containers. That is intentional.
+## Trace the value path
+Follow this order:
+1. Open \`tfvars/dev.wu3.tfvars\` and find \`virtual_networks_allowed\`.
+2. Open \`variables.tf\` and find \`variable "virtual_networks_allowed"\`.
+3. Open \`main.tf\` and see that value passed into:
+  - \`module "keyvault"\`
+  - \`module "storage_account"\`
+  - \`module "eventhub"\`
+4. Open each module and find where the value becomes network rules:
+  - \`modules/keyvault/main.tf\` → \`network_acls\`
+  - \`modules/storage-account/main.tf\` → \`network_rules\`
+  - \`modules/eventhub/main.tf\` → \`network_rulesets\`
+## Fix it
+In \`tfvars/dev.wu3.tfvars\`, replace the old subnet subscription/resource group with the current DEV networking values:
+- subscription: \`d05d3a9b-68eb-4dea-9f1c-208dc705ce2d\`
+- resource group: \`plfdev02shrwu3-networking\`
+The fixed subnet IDs should look like:
+\`/subscriptions/d05d3a9b-68eb-4dea-9f1c-208dc705ce2d/resourceGroups/plfdev02shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev02-vnet/subnets/app\`
+Then rerun:
+1. \`terraform plan -var-file=tfvars/dev.wu3.tfvars -out=tfplan\`
+2. \`terraform apply -auto-approve -var-file=tfvars/dev.wu3.tfvars\`
+3. \`terraform output\`
+4. \`curl -s http://localhost:4311/health\`
+5. \`curl -s http://localhost:4312/health\`
+6. \`curl -s http://localhost:4313/health\`
+## Clean up
+Run:
+\`terraform destroy -auto-approve -var-file=tfvars/dev.wu3.tfvars\`
+If you want to inspect Docker directly:
+- \`docker ps -a\`
+- \`docker logs azure-acl-lab-keyvault\`
+- \`docker logs azure-acl-lab-storage\`
+- \`docker logs azure-acl-lab-eventhub\`
+## Interview summary
+The bug is not that Key Vault, Storage, or Event Hub cannot be created. The bug is that all three modules consume the same stale \`virtual_networks_allowed\` value, so all three try to apply firewall rules for subnets Azure cannot resolve anymore.
+`,
+    "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+}
+`,
+    "variables.tf": `variable "name_prefix" {
+  description = "Prefix used for local Docker containers and image names."
+  type        = string
+  default     = "azure-acl-lab"
+}
+variable "location" {
+  description = "Azure region label used by the mock resources."
+  type        = string
+  default     = "westus3"
+}
+variable "az_subscription_id" {
+  description = "Current DEV subscription receiving the deployment."
+  type        = string
+  default     = "d05d3a9b-68eb-4dea-9f1c-208dc705ce2d"
+}
+variable "expected_network_resource_group" {
+  description = "Networking resource group that should own DEV subnets now."
+  type        = string
+  default     = "plfdev02shrwu3-networking"
+}
+variable "virtual_networks_allowed" {
+  description = "Subnet IDs trusted by Key Vault, Storage, and Event Hub firewalls."
+  type        = list(string)
+  # Broken on purpose. The tfvars file mirrors the same old subnet IDs.
+  default = [
+    "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/app",
+    "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/private-endpoints"
+  ]
+}
+`,
+    "main.tf": `locals {
+  mock_image = "\${var.name_prefix}/azure-resource-mock:local"
+}
+# This one Docker image stands in for Azure platform services. The modules below
+# run the same image with different RESOURCE_KIND values so you can inspect
+# Key Vault, Storage Account, and Event Hub independently.
+resource "terraform_data" "mock_image" {
+  triggers_replace = {
+    dockerfile = filesha1("\${path.module}/apps/azure-resource-mock/Dockerfile")
+    server     = filesha1("\${path.module}/apps/azure-resource-mock/server.js")
+  }
+  provisioner "local-exec" {
+    command = "docker build -t \${local.mock_image} apps/azure-resource-mock"
+  }
+}
+module "keyvault" {
+  source = "./modules/keyvault"
+  resource_name                   = "\${var.name_prefix}-kv"
+  container_name                  = "\${var.name_prefix}-keyvault"
+  host_port                       = 4311
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+  depends_on = [terraform_data.mock_image]
+}
+module "storage_account" {
+  source = "./modules/storage-account"
+  resource_name                   = replace("\${var.name_prefix}storage", "-", "")
+  container_name                  = "\${var.name_prefix}-storage"
+  host_port                       = 4312
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+  depends_on = [terraform_data.mock_image]
+}
+module "eventhub" {
+  source = "./modules/eventhub"
+  resource_name                   = "\${var.name_prefix}-eh"
+  container_name                  = "\${var.name_prefix}-eventhub"
+  host_port                       = 4313
+  image_name                      = local.mock_image
+  current_subscription_id         = var.az_subscription_id
+  expected_network_subscription_id = var.az_subscription_id
+  expected_network_resource_group = var.expected_network_resource_group
+  virtual_networks_allowed        = var.virtual_networks_allowed
+  depends_on = [terraform_data.mock_image]
+}
+`,
+    "outputs.tf": `output "keyvault_url" {
+  value = module.keyvault.url
+}
+output "storage_account_url" {
+  value = module.storage_account.url
+}
+output "eventhub_url" {
+  value = module.eventhub.url
+}
+output "debug_chain" {
+  value = {
+    current_subscription      = var.az_subscription_id
+    expected_network_rg       = var.expected_network_resource_group
+    virtual_networks_allowed  = var.virtual_networks_allowed
+    shared_failure_explainer  = "All three modules consume virtual_networks_allowed, so one stale subnet list breaks every resource firewall."
+  }
+}
+`,
+    "tfvars/dev.wu3.tfvars": `# DEV deploys into the new subscription.
+az_subscription_id = "d05d3a9b-68eb-4dea-9f1c-208dc705ce2d"
+location           = "westus3"
+# DEV networking moved. The modules expect subnet IDs from this resource group.
+expected_network_resource_group = "plfdev02shrwu3-networking"
+# Broken on purpose: these still point at the old platform networking subscription
+# and old networking resource group.
+virtual_networks_allowed = [
+  "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/app",
+  "/subscriptions/e2cbae49-43fe-49c9-b9e5-fdba61ccb575/resourceGroups/plfdev01shrwu3-networking/providers/Microsoft.Network/virtualNetworks/plfdev01-vnet/subnets/private-endpoints"
+]
+`,
+    "modules/keyvault/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+# Mirrors azurerm_key_vault.network_acls.virtual_network_subnet_ids.
+resource "terraform_data" "network_acls" {
+  input = var.virtual_networks_allowed
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for subnet_id in var.virtual_networks_allowed :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", subnet_id))
+      ])
+      error_message = "Key Vault network_acls rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+resource "terraform_data" "keyvault_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=KeyVault -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+  depends_on = [terraform_data.network_acls]
+}
+output "url" {
+  value = terraform_data.keyvault_mock.input.url
+}
+`,
+    "modules/storage-account/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+# Mirrors azurerm_storage_account.network_rules.virtual_network_subnet_ids.
+resource "terraform_data" "network_rules" {
+  input = var.virtual_networks_allowed
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for subnet_id in var.virtual_networks_allowed :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", subnet_id))
+      ])
+      error_message = "Storage Account network_rules rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+resource "terraform_data" "storage_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=StorageAccount -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+  depends_on = [terraform_data.network_rules]
+}
+output "url" {
+  value = terraform_data.storage_mock.input.url
+}
+`,
+    "modules/eventhub/main.tf": `variable "resource_name" { type = string }
+variable "container_name" { type = string }
+variable "host_port" { type = number }
+variable "image_name" { type = string }
+variable "current_subscription_id" { type = string }
+variable "expected_network_subscription_id" { type = string }
+variable "expected_network_resource_group" { type = string }
+variable "virtual_networks_allowed" { type = list(string) }
+locals {
+  virtual_network_rule = [
+    for subnet_id in var.virtual_networks_allowed : {
+      subnet_id = subnet_id
+      ignore_missing_virtual_network_service_endpoint = false
+    }
+  ]
+}
+# Mirrors azurerm_eventhub_namespace.network_rulesets.virtual_network_rule.
+resource "terraform_data" "network_rulesets" {
+  input = local.virtual_network_rule
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for rule in local.virtual_network_rule :
+        can(regex("^/subscriptions/\${var.expected_network_subscription_id}/resourceGroups/\${var.expected_network_resource_group}/providers/Microsoft.Network/virtualNetworks/.+/subnets/.+$", rule.subnet_id))
+      ])
+      error_message = "Event Hub network_rulesets rejected virtual_networks_allowed. Expected subnet IDs from subscription \${var.expected_network_subscription_id} and resource group \${var.expected_network_resource_group}."
+    }
+  }
+}
+resource "terraform_data" "eventhub_mock" {
+  input = {
+    container_name = var.container_name
+    url            = "http://localhost:\${var.host_port}"
+  }
+  provisioner "local-exec" {
+    command = "docker rm -f \${var.container_name} >/dev/null 2>&1 || true && docker run -d --name \${var.container_name} -p \${var.host_port}:8080 -e RESOURCE_KIND=EventHub -e RESOURCE_NAME=\${var.resource_name} -e CURRENT_SUBSCRIPTION_ID=\${var.current_subscription_id} -e ALLOWED_SUBNET_IDS='\${join(",", var.virtual_networks_allowed)}' \${var.image_name}"
+  }
+  provisioner "local-exec" {
+    when    = destroy
+    command = "docker rm -f \${self.input.container_name} >/dev/null 2>&1 || true"
+  }
+  depends_on = [terraform_data.network_rulesets]
+}
+output "url" {
+  value = terraform_data.eventhub_mock.input.url
+}
+`,
+    "apps/azure-resource-mock/Dockerfile": `FROM node:20-alpine
+WORKDIR /app
+COPY server.js ./server.js
+EXPOSE 8080
+CMD ["node", "server.js"]
+`,
+    "apps/azure-resource-mock/server.js": `import http from "node:http";
+const port = Number(process.env.PORT || 8080);
+const resourceKind = process.env.RESOURCE_KIND || "AzureResource";
+const resourceName = process.env.RESOURCE_NAME || "local-resource";
+const subscriptionId = process.env.CURRENT_SUBSCRIPTION_ID || "unknown";
+const allowedSubnets = (process.env.ALLOWED_SUBNET_IDS || "")
+  .split(",")
+  .map((value) => value.trim())
+  .filter(Boolean);
+function json(res, statusCode, body) {
+  res.writeHead(statusCode, { "content-type": "application/json" });
+  res.end(JSON.stringify(body, null, 2));
+}
+function payload(path) {
+  return {
+    ok: true,
+    path,
+    resourceKind,
+    resourceName,
+    subscriptionId,
+    networkLockdown: {
+      defaultAction: "Deny",
+      allowedSubnets,
+      teachingPoint:
+        "In Azure this list is used by network_acls, network_rules, or network_rulesets. If any subnet ID is stale, the lock-down update fails."
+    }
+  };
+}
+const server = http.createServer((req, res) => {
+  const path = new URL(req.url || "/", "http://localhost").pathname;
+  if (path === "/" || path === "/health") return json(res, 200, payload(path));
+  if (path === "/secret") return json(res, 200, { ...payload(path), secretName: "demo-connection-string" });
+  if (path === "/blob") return json(res, 200, { ...payload(path), container: "solution-designs" });
+  if (path === "/events") return json(res, 200, { ...payload(path), eventHub: "solution-builder-events" });
+  return json(res, 404, { ok: false, error: "Not found", path });
+});
+server.listen(port, "0.0.0.0", () => {
+  console.log(resourceKind + " mock listening on 0.0.0.0:" + port);
+  console.log("Allowed subnets:", allowedSubnets);
+});
+`,
+  },
+};
+export const AZURE_NETWORK_ACL_BLANK_TEMPLATE: InfraLabWorkspace = {
+  version: 1,
+  label: "Azure Network ACL Blank Template",
+  provider: "docker",
+  executionMode: "docker",
+  activeFile: "README.md",
+  files: Object.fromEntries(
+    AZURE_NETWORK_ACL_FILE_NAMES.map((fileName) => [fileName, ""]),
+  ),
+};
+function hasWorkspaceFile(
+  files: Record<string, string>,
+  fileName: string,
+): boolean {
+  return Object.prototype.hasOwnProperty.call(files, fileName);
+}
 function refreshLegacyEnterpriseAuthFiles(
   source: InfraLabWorkspace,
   files: Record<string, string>,
@@ -404,7 +1060,7 @@ export function cloneInfraLabWorkspace(
       ? { ...source.files }
       : { ...DEFAULT_INFRA_FILES };
   const files = refreshLegacyEnterpriseAuthFiles(source, sourceFiles);
-  const activeFile = files[source.activeFile]
+  const activeFile = hasWorkspaceFile(files, source.activeFile)
     ? source.activeFile
     : (Object.keys(files)[0] ?? "main.tf");
@@ -438,14 +1094,22 @@ export function getInfraLabFileOrder(workspace: InfraLabWorkspace): string[] {
     "provider.tf",
     "variables.tf",
     "terraform.tfvars",
+    "tfvars/dev.wu3.tfvars",
     "outputs.tf",
     "locals.tf",
+    "modules/keyvault/main.tf",
+    "modules/storage-account/main.tf",
+    "modules/eventhub/main.tf",
+    "apps/azure-resource-mock/Dockerfile",
+    "apps/azure-resource-mock/server.js",
   ];
   const extras = Object.keys(workspace.files)
     .filter((name) => !preferred.includes(name))
     .sort();
-  return preferred.filter((name) => workspace.files[name]).concat(extras);
+  return preferred
+    .filter((name) => hasWorkspaceFile(workspace.files, name))
+    .concat(extras);
 }
 export function serializeInfraLabWorkspace(

package/template/cockpit.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-  "version": "0.22.0"
+  "version": "0.23.1"
 }

package/template/server/src/google-drive.ts CHANGED Viewed

@@ -1181,6 +1181,13 @@ async function resolveExportFolderId(
   if (!ws.driveConfig?.folderId) {
     throw new Error("No Drive folder linked to this workspace");
   }
+  // Local workspaces do not have a Drive-navigation state, so a missing
+  // target should mean "the linked folder itself" rather than silently
+  // creating/using _export. The UI now prompts for a destination, but this
+  // server-side fallback protects older/stale clients too.
+  if (ws.type === "local") return ws.driveConfig.folderId;
   return getOrCreateFolder(drive, ws.driveConfig.folderId, EXPORT_FOLDER_NAME);
 }