feat: expose drop deployment endpoint in public API

[fdarian]

Resolve #3922

Summary

Expose the dropDeployment endpoint in the public API, enabling programmatic file-upload deployments via multipart/form-data.

The endpoint already existed for the web UI — this PR makes it available through the REST API with proper OpenAPI documentation.

Changes

• Remove enabled: false from dropDeployment OpenAPI meta to expose the endpoint
• Switch input schema from z.instanceof(FormData) to uploadFileSchema (zod-form-data) so the OpenAPI generator can produce a proper multipart/form-data spec with typed fields
• Update @dokploy/trpc-openapi to a version that supports multipart/form-data (file field detection, binary format in OpenAPI output)
• Regenerate openapi.json with the new endpoint included

API

POST /api/drop-deployment
Content-Type: multipart/form-data
x-api-key: <api-key>

Field	Type	Required	Description
zip	file (binary)	yes	The deployment archive (.zip)
applicationId	string	no	Target application ID
dropBuildPath	string	no	Path to build config within the archive

Example usage

zip -r app.zip . -x "node_modules/*" && \
curl -X POST https://dokploy.example.com/api/drop-deployment \
  -H "x-api-key: $DOKPLOY_API_KEY" \
  -F "applicationId=$APP_ID" \
  -F "[email protected]"

Test plan

• pnpm generate:openapi succeeds and openapi.json contains /drop-deployment with multipart/form-data content type
• Existing web UI drop deployment still works (no client-side changes)
• Deploy via curl with API key and zip file

Greptile Summary

This PR exposes the existing dropDeployment tRPC endpoint through the public REST API (POST /api/drop-deployment) by removing enabled: false from its OpenAPI metadata and swapping the input schema from z.instanceof(FormData) to uploadFileSchema (zod-form-data), which enables proper OpenAPI spec generation for multipart/form-data uploads.

Key issue found:

• applicationId is optional in schema but required at runtime. The OpenAPI spec correctly marks applicationId as optional (only "zip" is required), but the endpoint code omits validation. When a caller omits applicationId per the spec, findApplicationById(undefined) is called, the query fails silently, and accessing app.environment.project.organizationId on the undefined result throws a TypeError. This produces a 500 error instead of a helpful 400 validation error. The field should either be required in the schema or guarded with an explicit early-return check.

Confidence Score: 2/5

• The PR has a runtime validation bug in the public API that will cause 500 errors for legitimate callers who omit the optional applicationId field.
• The issue is concrete and reproducible: when applicationId is omitted, findApplicationById(undefined) returns no match, and the subsequent property access throws a TypeError. This results in opaque 500 errors for API consumers following the (correct) OpenAPI spec. The endpoint should validate applicationId before database operations. The core functionality is sound, but this validation defect significantly impacts the reliability of the newly exposed public API.
• apps/dokploy/server/api/routers/application.ts — the applicationId validation needs to be added either at the schema level or via an explicit guard check in the mutation handler.

_{Last reviewed commit: 66931fe}

Greptile also left 1 inline comment on this PR.

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

Context used:

• Rule used - AGENTS.md (source)

[dosubot]

Related Documentation

1 document(s) may need updating based on files changed in this PR:

Dokploy's Space

README /dokploy/blob/canary/apps/api/README.md

View Suggested Changes

@@ -77,6 +77,28 @@
 
 This endpoint is used by the UI to display deployment queue information in the dashboard.
 
+### POST /drop-deployment
+
+Upload and deploy a zip file containing your application code. This endpoint enables programmatic file-upload deployments.
+
+**Content-Type:** `multipart/form-data`
+
+**Authentication:** Required (x-api-key header)
+
+**Parameters:**
+- `zip` (File, required) - The zip file containing the application code to deploy
+- `applicationId` (string, required) - The ID of the application to deploy to
+- `dropBuildPath` (string, optional) - Optional path within the zip file to use as the build root
+
+**Example using curl:**
+```bash
+curl -X POST https://your-dokploy-instance.com/drop-deployment \
+  -H "x-api-key: YOUR_API_KEY" \
+  -F "zip=@/path/to/your/app.zip" \
+  -F "applicationId=YOUR_APPLICATION_ID" \
+  -F "dropBuildPath=optional/build/path"
+```
+
 ## Search Endpoints
 
 The following search endpoints provide flexible querying capabilities with pagination support. All search endpoints respect member permissions, returning only resources the user has access to.

[Accept] [Decline]

Note: You must be authenticated to accept/decline updates.

^{How did I do? Any feedback?}  

[fdarian]

Tested

1. Drop deployment upload via Web
2. Drop deployment upoad via API