feat: add service catalog management with policy integration for domain-based resource access control

Add ServiceCatalogItem type and services CRUD API endpoints (list, create, update, delete). Extend Policy type to include services array with domain, upstream_ip, proxy_ip, and ports metadata.

Add ServicesPage component with table view and create/edit modals for managing service definitions. Include service name, domain, proxy, and upstream columns with port parsing logic.

Integrate service selection

backend/internal/policy/repository.go

@@ -53,6 +53,11 @@ func (r *PGRepository) List(ctx context.Context) ([]Policy, error) {
 		if err := rows.Scan(&item.ID, &item.Name, &item.Description, &item.Priority, &item.Effect, &item.FullTunnel, &item.IsActive, &item.Destinations); err != nil {
 			return nil, err
 		}
+		services, err := r.listServices(ctx, item.ID)
+		if err != nil {
+			return nil, err
+		}
+		item.Services = services
 		targets, err := r.listTargets(ctx, item.ID)
 		if err != nil {
 			return nil, err
@@ -88,6 +93,15 @@ func (r *PGRepository) Create(ctx context.Context, input CreateRequest, createdB
 		}
 	}
 
+	for _, serviceID := range input.ServiceIDs {
+		if _, err := tx.Exec(ctx, `
+			insert into policy_services (id, policy_id, service_id)
+			values ($1, $2, $3)
+		`, uuid.New(), policyID, serviceID); err != nil {
+			return Policy{}, err
+		}
+	}
+
 	for _, target := range input.Targets {
 		if _, err := tx.Exec(ctx, `
 			insert into policy_targets (id, policy_id, target_type, target_id)
@@ -141,6 +155,20 @@ func (r *PGRepository) Update(ctx context.Context, policyID uuid.UUID, input Upd
 		}
 	}
 
+	if input.ServiceIDs != nil {
+		if _, err := tx.Exec(ctx, `delete from policy_services where policy_id = $1`, policyID); err != nil {
+			return Policy{}, err
+		}
+		for _, serviceID := range input.ServiceIDs {
+			if _, err := tx.Exec(ctx, `
+				insert into policy_services (id, policy_id, service_id)
+				values ($1, $2, $3)
+			`, uuid.New(), policyID, serviceID); err != nil {
+				return Policy{}, err
+			}
+		}
+	}
+
 	if input.Targets != nil {
 		if _, err := tx.Exec(ctx, `delete from policy_targets where policy_id = $1`, policyID); err != nil {
 			return Policy{}, err
@@ -169,26 +197,49 @@ func (r *PGRepository) Delete(ctx context.Context, policyID uuid.UUID) error {
 
 func (r *PGRepository) ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error) {
 	query := `
-		select distinct pd.destination::text
-		from policies p
-		join policy_destinations pd on pd.policy_id = p.id
-		join policy_targets pt on pt.policy_id = p.id
-		where p.deleted_at is null
-		  and p.is_active = true
-		  and p.effect = 'allow'
-		  and (
-			(pt.target_type = 'user' and pt.target_id = $1)
-			or (pt.target_type = 'group' and exists (
-				select 1 from group_memberships gm
-				where gm.group_id = pt.target_id and gm.user_id = $1
-			))
+		select distinct destination
+		from (
+			select pd.destination::text as destination
+			from policies p
+			join policy_destinations pd on pd.policy_id = p.id
+			join policy_targets pt on pt.policy_id = p.id
+			where p.deleted_at is null
+			  and p.is_active = true
+			  and p.effect = 'allow'
+			  and (
+				(pt.target_type = 'user' and pt.target_id = $1)
+				or (pt.target_type = 'group' and exists (
+					select 1 from group_memberships gm
+					where gm.group_id = pt.target_id and gm.user_id = $1
+				))
 	`
 	args := []any{userID}
 	if deviceID != nil {
 		query += ` or (pt.target_type = 'device' and pt.target_id = $2)`
 		args = append(args, *deviceID)
 	}
-	query += `)`
+	query += `)
+			union
+			select host(s.proxy_ip)::text || '/32' as destination
+			from policies p
+			join policy_services ps on ps.policy_id = p.id
+			join services s on s.id = ps.service_id and s.deleted_at is null and s.is_active = true
+			join policy_targets pt on pt.policy_id = p.id
+			where p.deleted_at is null
+			  and p.is_active = true
+			  and p.effect = 'allow'
+			  and (
+				(pt.target_type = 'user' and pt.target_id = $1)
+				or (pt.target_type = 'group' and exists (
+					select 1 from group_memberships gm
+					where gm.group_id = pt.target_id and gm.user_id = $1
+				))
+	`
+	if deviceID != nil {
+		query += ` or (pt.target_type = 'device' and pt.target_id = $2)`
+	}
+	query += `)
+		) destinations`
 
 	rows, err := r.db.Query(ctx, query, args...)
 	if err != nil {
@@ -249,6 +300,11 @@ func (r *PGRepository) ListSelectableProfiles(ctx context.Context, userID uuid.U
 		if err := rows.Scan(&item.ID, &item.Name, &item.Description, &item.FullTunnel, &item.Destinations); err != nil {
 			return nil, err
 		}
+		services, err := r.listServices(ctx, item.ID)
+		if err != nil {
+			return nil, err
+		}
+		item.Services = services
 		profiles = append(profiles, item)
 	}
 	return profiles, rows.Err()
@@ -296,3 +352,34 @@ func (r *PGRepository) listTargets(ctx context.Context, policyID uuid.UUID) ([]T
 
 	return items, rows.Err()
 }
+
+func (r *PGRepository) listServices(ctx context.Context, policyID uuid.UUID) ([]PolicyService, error) {
+	rows, err := r.db.Query(ctx, `
+		select
+			s.id,
+			s.name,
+			s.domain,
+			host(s.upstream_ip),
+			host(s.proxy_ip),
+			s.ports,
+			s.description
+		from policy_services ps
+		join services s on s.id = ps.service_id
+		where ps.policy_id = $1 and s.deleted_at is null
+		order by s.name asc
+	`, policyID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var items []PolicyService
+	for rows.Next() {
+		var item PolicyService
+		if err := rows.Scan(&item.ID, &item.Name, &item.Domain, &item.UpstreamIP, &item.ProxyIP, &item.Ports, &item.Description); err != nil {
+			return nil, err
+		}
+		items = append(items, item)
+	}
+	return items, rows.Err()
+}