chore: Move VPC update/delete proto building onto the DB model

[chet]

Description

Adds receiver methods on cdbm.Vpc so handlers don't have to build update/delete workflow protos inline:

• (*Vpc).ToUpdateRequestProto() and ToDeletionRequestProto() -- used by the Update and Delete handlers respectively (we do something similar for Tenant).
• (*Vpc).GetSiteID(), which replaces the common.GetSiteVpcID helper.

Tests cover ID-vs-ControllerVpcID fallback, nil description, nil labels, and nil NSG.

This is part of a wider effort I'm going to slowly be churning on for standardizing ToProto / FromProto across the board (which started with #500, where I'm also dropping an AGENTS.md which mentions something similar).

Signed-off-by: Chet Nichols III chetn@nvidia.com

Type of Change

• Feature - New feature or functionality (feat:)
• Fix - Bug fixes (fix:)
• Chore - Modification or removal of existing functionality (chore:)
• Refactor - Refactoring of existing functionality (refactor:)
• Docs - Changes in documentation or OpenAPI schema (docs:)
• CI - Changes in GitHub workflows. Requires additional scrutiny (ci:)
• Version - Issuing a new release version (version:)

Services Affected

• API - API models or endpoints updated
• Workflow - Workflow service updated
• DB - DB DAOs or migrations updated
• Site Manager - Site Manager updated
• Cert Manager - Cert Manager updated
• Site Agent - Site Agent updated
• RLA - RLA service updated
• Powershelf Manager - Powershelf Manager updated
• NVSwitch Manager - NVSwitch Manager updated

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1106e20c-cbd0-467a-b184-e05a56cb5562

📥 Commits

Reviewing files that changed from the base of the PR and between 2546eb0 and ba92bdd.

📒 Files selected for processing (7)

• api/pkg/api/handler/subnet.go
• api/pkg/api/handler/util/common/common.go
• api/pkg/api/handler/vpc.go
• api/pkg/api/handler/vpcprefix.go
• db/pkg/db/model/vpc.go
• db/pkg/db/model/vpc_test.go
• workflow/pkg/activity/vpc/vpc.go

💤 Files with no reviewable changes (1)

• api/pkg/api/handler/util/common/common.go

✅ Files skipped from review due to trivial changes (2)

• workflow/pkg/activity/vpc/vpc.go
• db/pkg/db/model/vpc.go

🚧 Files skipped from review as they are similar to previous changes (1)

• db/pkg/db/model/vpc_test.go

---

Summary by CodeRabbit

• Refactor

  • Unified VPC identifier sourcing and request construction across VPC, VPC prefix and subnet operations for more consistent site workflow messages.

• Tests

  • Added unit tests verifying VPC identifier resolution and request/proto conversion behavior.

Walkthrough

This PR refactors VPC identifier and proto construction logic by consolidating scattered utility functions into dedicated methods on the Vpc model. The GetSiteVpcID() helper is removed and replaced with vpc.GetSiteID() model method, while new proto conversion methods streamline workflow request building across handlers.

Changes

VPC Model Method Refactoring and Handler Migration

Layer / File(s)	Summary
VPC Model Methods and Proto Helpers db/pkg/db/model/vpc.go	Introduces GetSiteID() (preferring ControllerVpcID over ID), toMetadataProto() (serializing name, description, labels), ToDeletionRequestProto(), and ToUpdateRequestProto() with site-agent workflow schema import.
VPC Model Unit Tests db/pkg/db/model/vpc_test.go	Validates ID selection precedence, proto construction with full/partial fields, metadata serialization, and request object completeness.
Helper Function Removal and Modification api/pkg/api/handler/util/common/common.go	Removes deprecated GetSiteVpcID() function; modifies GetSiteInstanceID() implementation (note: contains unexpected markers requiring inspection).
Handler Call Site Updates api/pkg/api/handler/vpc.go, api/pkg/api/handler/subnet.go, api/pkg/api/handler/vpcprefix.go	Migrates VPC, subnet, and VPC prefix handlers to use vpc.GetSiteID(), vpc.ToUpdateRequestProto(), and vpc.ToDeletionRequestProto() instead of manual request construction and utility functions.
Workflow Activity Documentation workflow/pkg/activity/vpc/vpc.go	Clarifies that UpdateVpcMetadata intentionally omits NetworkSecurityGroupId from the workflow request because the activity syncs only metadata fields.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary change: moving VPC proto-building logic from handlers onto receiver methods on the Vpc DB model.
Description check	✅ Passed	The description is directly related to the changeset, explaining the new receiver methods, their purpose, test coverage, and broader refactoring context.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-05-07 17:02:53 UTC | Commit: 2546eb0}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

api/pkg/api/handler/vpc.go (1)

850-858: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve explicit NSG clears when building UpdateVPC requests.

vpc.ToUpdateRequestProto() copies vpc.NetworkSecurityGroupID as-is. After the clear path above, that value is nil, so NetworkSecurityGroupId is omitted on the wire. The metadata activity comment makes the semantics explicit: omitted means “do not touch NSG.” As a result, a request with networkSecurityGroupId: "" will clear the DB field but leave the Site-side NSG association intact.

Suggested fix

-		updateVpcRequest := vpc.ToUpdateRequestProto()
+		updateVpcRequest := vpc.ToUpdateRequestProto()
+		if apiRequest.NetworkSecurityGroupID != nil && *apiRequest.NetworkSecurityGroupID == "" {
+			updateVpcRequest.NetworkSecurityGroupId = cdb.GetStrPtr("")
+		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/pkg/api/handler/vpc.go` around lines 850 - 858,
vpc.ToUpdateRequestProto() currently omits NetworkSecurityGroupId when
vpc.NetworkSecurityGroupID is nil, losing explicit "clear" semantics; ensure the
handler inspects the incoming API update (similar to how
NVLinkLogicalPartitionID is handled) and when the request explicitly sets
NetworkSecurityGroupID to empty string assign
updateVpcRequest.NetworkSecurityGroupId = &cwssaws.NetworkSecurityGroupId{Value:
""}, and when non-empty assign the actual ID; modify the code around
vpc.ToUpdateRequestProto() to set updateVpcRequest.NetworkSecurityGroupId based
on the API input (handling nil, empty string, and non-empty cases) so clears are
propagated to the site controller.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@db/pkg/db/model/vpc_test.go`:
- Around line 1520-1564: Add a new subtest in TestVpc_ToUpdateRequestProto that
verifies explicit NSG removal: create a Vpc with NetworkSecurityGroupID set to a
non-nil pointer to the empty string (e.g. &""), call v.ToUpdateRequestProto(),
and assert that req.NetworkSecurityGroupId is non-nil and its value equals ""
(distinct from the existing nil-omitted case); reference the
TestVpc_ToUpdateRequestProto test and the Vpc.NetworkSecurityGroupID /
ToUpdateRequestProto symbols when adding this case.

---

Outside diff comments:
In `@api/pkg/api/handler/vpc.go`:
- Around line 850-858: vpc.ToUpdateRequestProto() currently omits
NetworkSecurityGroupId when vpc.NetworkSecurityGroupID is nil, losing explicit
"clear" semantics; ensure the handler inspects the incoming API update (similar
to how NVLinkLogicalPartitionID is handled) and when the request explicitly sets
NetworkSecurityGroupID to empty string assign
updateVpcRequest.NetworkSecurityGroupId = &cwssaws.NetworkSecurityGroupId{Value:
""}, and when non-empty assign the actual ID; modify the code around
vpc.ToUpdateRequestProto() to set updateVpcRequest.NetworkSecurityGroupId based
on the API input (handling nil, empty string, and non-empty cases) so clears are
propagated to the site controller.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aa487abc-81a4-441b-a9ca-abb7d5a39287

📥 Commits

Reviewing files that changed from the base of the PR and between 32a4eb7 and 2546eb0.

📒 Files selected for processing (7)

• api/pkg/api/handler/subnet.go
• api/pkg/api/handler/util/common/common.go
• api/pkg/api/handler/vpc.go
• api/pkg/api/handler/vpcprefix.go
• db/pkg/db/model/vpc.go
• db/pkg/db/model/vpc_test.go
• workflow/pkg/activity/vpc/vpc.go

💤 Files with no reviewable changes (1)

• api/pkg/api/handler/util/common/common.go

[pbreton]

LGTM.

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-nsm	64	2	20	33	9	0
nico-psm	56	4	29	13	2	8
nico-rest-api	57	4	30	13	2	8
nico-rest-cert-manager	54	4	28	13	1	8
nico-rest-db	55	4	28	13	2	8
nico-rest-site-agent	54	4	28	13	1	8
nico-rest-site-manager	54	4	28	13	1	8
nico-rest-workflow	56	4	29	13	2	8
nico-rla	55	4	28	13	2	8
TOTAL	505	34	248	137	22	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[thossain-nv]

We should have primary receiver function that is simply called ToProto.

Converting API requests to proto should be done in ToProto method of APIVpcCreateRequest and etc.

[chet]

Oh sorry! I should have been more clear -- this PR was some general housekeeping I was doing that was going to be shared across vpc/vpcprefix/vpcpeering. Probably made it too small, lol. I've got three PRs related to this that are following up on it.