API endpoints initial models (#42881)

[juan-fdz-hawa]

Related issue: Resolves #42881

• Added user_api_endpoints table to track per user API endpoint permissions.
• Added service/api_endpoints, used to handle service/api_endpoints.yml artifact.
• Added check on server start that makes sure that service/apin_endpoints.yml is a subset of router routes.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.gi

Summary by CodeRabbit

Release Notes

• New Features
  • Per-user API endpoint permissions: Configure granular access control by allowing or denying specific users access to individual API endpoints
  • New API trigger endpoint for launching automation workflows and external integrations
  • Startup validation: Application now verifies all declared API endpoints are properly registered at startup, improving reliability and configuration consistency

[codecov]

Codecov Report

❌ Patch coverage is 78.12500% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.85%. Comparing base (6e6e921) to head (40904f9).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
server/service/api_endpoints.go	80.48%	4 Missing and 4 partials ⚠️
.../20260406114157_AddApiEndpointPermissionsTables.go	80.95%	3 Missing and 1 partial ⚠️
cmd/fleet/serve.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #43077      +/-   ##
==========================================
- Coverage   66.86%   66.85%   -0.02%     
==========================================
  Files        2578     2580       +2     
  Lines      206869   206933      +64     
  Branches     9168     9168              
==========================================
+ Hits       138328   138345      +17     
- Misses      55978    56012      +34     
- Partials    12563    12576      +13     

Flag	Coverage Δ
backend	68.62% <78.12%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[juan-fdz-hawa]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

This change introduces API endpoint management by adding a new user_api_endpoints database table to store per-user endpoint permissions with a composite primary key on user ID and endpoint hash. It adds declarative API endpoint definitions in api_endpoints.yml specifying HTTP method, path, name, and deprecation status. New validation code parses these declarations and verifies all endpoints are registered in the application router at startup, panicking if any mismatch is detected. Database migration and schema files are updated to reflect the new table structure with foreign key constraints and metadata columns.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR partially addresses issue #42881: it adds the user_api_endpoints table and implements startup validation, but does not include an api_endpoints table with display_name/protocol/path fields, nor does it fully address the stable endpoint id requirement.	Implement the api_endpoints table as specified in issue #42881 with columns for id, display_name, protocol, and path to enable stable endpoint identification.
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: introducing API endpoints initial models with the associated issue number.
Description check	✅ Passed	The PR description covers the main changes and includes relevant checklist items, though some sections from the template are incomplete or missing (security validation, testing scope, etc.).
Out of Scope Changes check	✅ Passed	All changes align with the PR objectives: database migration, service/api_endpoints handling, startup validation, and tests. No out-of-scope changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 42881-api-only-api-endpoints-db-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/datastore/mysql/schema.sql`:
- Line 2977: The column is_allowed currently permits NULL causing tri-state
permission ambiguity; create a new migration that alters the column is_allowed
to be NOT NULL with DEFAULT 1 (e.g., ALTER TABLE ... MODIFY COLUMN `is_allowed`
TINYINT(1) NOT NULL DEFAULT 1 or the equivalent in your migration DSL), run the
migration and then regenerate the auto-generated
server/datastore/mysql/schema.sql from migrations so tests use the updated
schema.

In `@server/service/api_endpoints.yml`:
- Around line 1-4: The endpoint definition for the POST
"/api/_version_/fleet/trigger" contains a placeholder `name` value ("Some wild
description goes here"); replace this with a concise, meaningful description
(e.g., "Trigger fleet operation" or similar) in the `name` field of the API
spec, or if this file is only used to test validation, add a clarifying comment
next to the `name` entry indicating it's intentionally a placeholder for tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5f497943-3672-4193-88cc-c0598da52242

📥 Commits

Reviewing files that changed from the base of the PR and between e9a0f0f and f2890fb.

📒 Files selected for processing (7)

• changes/42881-api-endpoints-initial-models
• cmd/fleet/serve.go
• server/datastore/mysql/migrations/tables/20260406114157_AddApiEndpointPermissionsTables.go
• server/datastore/mysql/schema.sql
• server/service/api_endpoints.go
• server/service/api_endpoints.yml
• server/service/api_endpoints_test.go

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[juan-fdz-hawa]

This is meant to store the encoded method + path: UNHEX(SHA2('|GET|/api/v1/reports|', 256) for example.

[juan-fdz-hawa]

This will allow us to express: "Allow all API endpoints, except these" access rules if needed.

[juan-fdz-hawa]

This is a placeholder. This file will be replaced on a subsequent PR.

[juan-fdz-hawa]

Since api_endpoints.yml is owned by us, I think a panic here is OK