* fix: strip credentials from service-level API responses
Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.
- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
- Replaced inline timestamp generation with the new getBackupTimestamp function across various backup modules (compose, libsql, mariadb, mongo, mysql, postgres, web-server, and volume-backups).
- Improved code readability and maintainability by centralizing timestamp formatting logic.
- Modified the `execAsync` calls in `compose.ts`, `mariadb.ts`, `mongo.ts`, and `mysql.ts` to specify the bash shell for executing backup commands, ensuring compatibility with bash-specific features across all backup utilities.
- Refactored backup utilities for PostgreSQL, MySQL, MariaDB, and MongoDB to streamline command generation and improve logging.
- Introduced a unified `getBackupCommand` function to encapsulate backup command logic, enhancing maintainability.
- Improved error handling and logging during backup processes, providing clearer feedback on command execution and success/failure states.
- Updated container retrieval methods to return null instead of throwing errors when no containers are found, improving robustness.
- Refactored backup utilities for MariaDB, MongoDB, MySQL, and PostgreSQL to include detailed logging of command execution, improving traceability and debugging.
- Introduced deployment tracking for backups, allowing for better management of backup statuses and notifications.
- Updated backup command execution to utilize writable streams, ensuring efficient data handling during backup processes.
- Enhanced error handling and logging for backup operations, providing clearer feedback on success or failure.
- Removed the `getRemoteServiceContainer` function and updated the `getServiceContainer` function to handle both local and remote service containers more efficiently.
- Refactored backup and restore commands for MariaDB, MongoDB, MySQL, and PostgreSQL to utilize new utility functions for generating backup and restore commands, enhancing code clarity and maintainability.
- Streamlined command execution logic in backup and restore processes, ensuring consistent handling of container IDs across different database types.
- Added normalizeS3Path function to standardize S3 path formatting by trimming whitespace and removing leading/trailing slashes.
- Updated backup-related modules (MySQL, MongoDB, PostgreSQL, MariaDB, and web server) to utilize normalizeS3Path for consistent S3 path handling.
- Introduced unit tests for normalizeS3Path to ensure correct functionality across various input scenarios.