Update OPEN_THREADS — IDE proxy + token system implemented, agent launch arg change next
This commit is contained in:
parent
77c0eeb1f5
commit
36b3645c74
101
OPEN_THREADS.md
101
OPEN_THREADS.md
@ -54,74 +54,61 @@ Confirmed:
|
||||
|
||||
Port: `6000`
|
||||
|
||||
---
|
||||
**Next session — agent change required:**
|
||||
|
||||
### Access Model (Updated)
|
||||
code-server must be relaunched with:
|
||||
|
||||
The previous approach using:
|
||||
```
|
||||
--auth none
|
||||
--base-path /api/dev/<vmid>/ide
|
||||
```
|
||||
|
||||
- Cloudflare DNS
|
||||
- Technitium DNS
|
||||
- Traefik dynamic config per container
|
||||
|
||||
has been **abandoned**.
|
||||
|
||||
Reason:
|
||||
|
||||
- too many moving pieces
|
||||
- TLS and proxy complexity
|
||||
- per-container DNS automation
|
||||
- unnecessary exposure of internal dev services
|
||||
Reason: API token is now the sole auth mechanism. Password prompt must be removed. Base path required for correct asset loading through proxy.
|
||||
|
||||
---
|
||||
|
||||
### New Access Strategy
|
||||
## Dev IDE Access
|
||||
|
||||
Dev containers will support **two access paths**.
|
||||
|
||||
#### Path 1 — Browser IDE (Primary)
|
||||
### Browser IDE (Implemented ✅)
|
||||
|
||||
```
|
||||
Browser
|
||||
↓
|
||||
Portal
|
||||
↓
|
||||
API proxy
|
||||
API (/api/dev/:id/ide)
|
||||
↓
|
||||
container:6000
|
||||
```
|
||||
|
||||
URL format: `/dev/<vmid>/ide`
|
||||
Implemented in API:
|
||||
|
||||
Implementation requirements:
|
||||
- `src/routes/devProxy.js` — proxy route mounted in `src/app.js`
|
||||
- `GET /api/dev/:id/ide` and `GET /api/dev/:id/ide/*`
|
||||
- ownership verification before proxying
|
||||
- `ctype === "dev"` required
|
||||
- WebSocket support via `http-proxy-middleware` (`ws: true`)
|
||||
- `server.on('upgrade')` handler wired
|
||||
|
||||
- API proxy using `http-proxy-middleware`
|
||||
- WebSocket support (`ws: true`)
|
||||
- `server.on('upgrade', proxy.upgrade)`
|
||||
- code-server launch args: `--base-path /dev/<vmid>/ide --auth none`
|
||||
IDE token system implemented:
|
||||
|
||||
Authentication handled by portal JWT.
|
||||
- `POST /api/dev/:id/ide-token` — returns signed short-lived token
|
||||
- token payload: `sub`, `vmid`, `type: "dev-ide"`
|
||||
- default TTL: 300 seconds
|
||||
- env overrides: `API_AUTH_IDE_TTL_SECONDS`, `API_AUTH_IDE_SECRET`
|
||||
- proxy accepts `Authorization: Bearer` or `?token=<ide-token>`
|
||||
- WebSocket upgrades validate same token
|
||||
|
||||
---
|
||||
### Local Dev Access (Headscale/Tailscale — Future)
|
||||
|
||||
#### Path 2 — Local Dev Access (Advanced Users)
|
||||
|
||||
Direct developer access via **Headscale/Tailscale**.
|
||||
|
||||
Use cases:
|
||||
|
||||
- SSH
|
||||
- VS Code Remote
|
||||
- local development tools
|
||||
|
||||
Outstanding tasks:
|
||||
Outstanding:
|
||||
|
||||
- confirm `zlh-ctl` Headscale server status
|
||||
- implement Tailscale addon install
|
||||
- implement Tailscale addon install in agent
|
||||
- API auth key generation
|
||||
- portal instructions
|
||||
- portal setup instructions
|
||||
|
||||
Headscale constraints:
|
||||
Constraints:
|
||||
|
||||
- `magic_dns: false`
|
||||
- no exit nodes
|
||||
@ -131,11 +118,12 @@ Headscale constraints:
|
||||
|
||||
## Agent Future Work (priority order)
|
||||
|
||||
1. Structured logging (slog) for Loki
|
||||
2. Dev container provisioningComplete state
|
||||
3. Crash recovery backoff
|
||||
4. Graceful shutdown verification
|
||||
5. Process reattachment on agent restart
|
||||
1. Update code-server launch args (`--auth none`, `--base-path /api/dev/<vmid>/ide`)
|
||||
2. Structured logging (slog) for Loki
|
||||
3. Dev container provisioningComplete state
|
||||
4. Crash recovery backoff
|
||||
5. Graceful shutdown verification
|
||||
6. Process reattachment on agent restart
|
||||
|
||||
---
|
||||
|
||||
@ -146,15 +134,15 @@ Completed:
|
||||
- dev provisioning payload
|
||||
- runtime/version fields
|
||||
- enable_code_server flag
|
||||
- API status endpoint for frontend state
|
||||
- `GET /api/servers/:id/status` — server status endpoint
|
||||
- `POST /api/dev/:id/ide-token` — IDE token generation
|
||||
- `GET /api/dev/:id/ide` — IDE proxy route with WebSocket support
|
||||
- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
|
||||
|
||||
Outstanding:
|
||||
|
||||
- `/dev/:id/ide` proxy route
|
||||
- websocket upgrade handling
|
||||
- ownership validation before proxy
|
||||
- dev runtime catalog endpoint for portal
|
||||
- Headscale auth key generation
|
||||
- dev runtime catalog endpoint
|
||||
|
||||
---
|
||||
|
||||
@ -169,18 +157,13 @@ Completed:
|
||||
|
||||
Outstanding:
|
||||
|
||||
- "Open IDE" button
|
||||
- `/dev/<vmid>/ide` page
|
||||
- "Open IDE" button — calls `POST /api/dev/:id/ide-token`, opens returned URL in new tab
|
||||
- Headscale setup instructions
|
||||
|
||||
---
|
||||
|
||||
## Platform
|
||||
|
||||
Active thread:
|
||||
|
||||
- implement browser IDE proxy
|
||||
|
||||
Future work:
|
||||
|
||||
- Tailscale dev access
|
||||
@ -198,3 +181,5 @@ Future work:
|
||||
- ✅ Dev container filesystem model
|
||||
- ✅ Code-server artifact fix
|
||||
- ✅ API status endpoint for frontend agent-state consumption
|
||||
- ✅ Dev IDE proxy implementation (API proxy + token system)
|
||||
- ✅ Dev DNS/Traefik routing experiment — removed
|
||||
|
||||
Loading…
Reference in New Issue
Block a user