diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md index f3f0fe7..2bde474 100644 --- a/OPEN_THREADS.md +++ b/OPEN_THREADS.md @@ -54,74 +54,61 @@ Confirmed: Port: `6000` ---- +**Next session — agent change required:** -### Access Model (Updated) +code-server must be relaunched with: -The previous approach using: +``` +--auth none +--base-path /api/dev//ide +``` -- Cloudflare DNS -- Technitium DNS -- Traefik dynamic config per container - -has been **abandoned**. - -Reason: - -- too many moving pieces -- TLS and proxy complexity -- per-container DNS automation -- unnecessary exposure of internal dev services +Reason: API token is now the sole auth mechanism. Password prompt must be removed. Base path required for correct asset loading through proxy. --- -### New Access Strategy +## Dev IDE Access -Dev containers will support **two access paths**. - -#### Path 1 — Browser IDE (Primary) +### Browser IDE (Implemented ✅) ``` Browser ↓ Portal ↓ -API proxy +API (/api/dev/:id/ide) ↓ container:6000 ``` -URL format: `/dev//ide` +Implemented in API: -Implementation requirements: +- `src/routes/devProxy.js` — proxy route mounted in `src/app.js` +- `GET /api/dev/:id/ide` and `GET /api/dev/:id/ide/*` +- ownership verification before proxying +- `ctype === "dev"` required +- WebSocket support via `http-proxy-middleware` (`ws: true`) +- `server.on('upgrade')` handler wired -- API proxy using `http-proxy-middleware` -- WebSocket support (`ws: true`) -- `server.on('upgrade', proxy.upgrade)` -- code-server launch args: `--base-path /dev//ide --auth none` +IDE token system implemented: -Authentication handled by portal JWT. +- `POST /api/dev/:id/ide-token` — returns signed short-lived token +- token payload: `sub`, `vmid`, `type: "dev-ide"` +- default TTL: 300 seconds +- env overrides: `API_AUTH_IDE_TTL_SECONDS`, `API_AUTH_IDE_SECRET` +- proxy accepts `Authorization: Bearer` or `?token=` +- WebSocket upgrades validate same token ---- +### Local Dev Access (Headscale/Tailscale — Future) -#### Path 2 — Local Dev Access (Advanced Users) - -Direct developer access via **Headscale/Tailscale**. - -Use cases: - -- SSH -- VS Code Remote -- local development tools - -Outstanding tasks: +Outstanding: - confirm `zlh-ctl` Headscale server status -- implement Tailscale addon install +- implement Tailscale addon install in agent - API auth key generation -- portal instructions +- portal setup instructions -Headscale constraints: +Constraints: - `magic_dns: false` - no exit nodes @@ -131,11 +118,12 @@ Headscale constraints: ## Agent Future Work (priority order) -1. Structured logging (slog) for Loki -2. Dev container provisioningComplete state -3. Crash recovery backoff -4. Graceful shutdown verification -5. Process reattachment on agent restart +1. Update code-server launch args (`--auth none`, `--base-path /api/dev//ide`) +2. Structured logging (slog) for Loki +3. Dev container provisioningComplete state +4. Crash recovery backoff +5. Graceful shutdown verification +6. Process reattachment on agent restart --- @@ -146,15 +134,15 @@ Completed: - dev provisioning payload - runtime/version fields - enable_code_server flag -- API status endpoint for frontend state +- `GET /api/servers/:id/status` — server status endpoint +- `POST /api/dev/:id/ide-token` — IDE token generation +- `GET /api/dev/:id/ide` — IDE proxy route with WebSocket support +- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted) Outstanding: -- `/dev/:id/ide` proxy route -- websocket upgrade handling -- ownership validation before proxy +- dev runtime catalog endpoint for portal - Headscale auth key generation -- dev runtime catalog endpoint --- @@ -169,18 +157,13 @@ Completed: Outstanding: -- "Open IDE" button -- `/dev//ide` page +- "Open IDE" button — calls `POST /api/dev/:id/ide-token`, opens returned URL in new tab - Headscale setup instructions --- ## Platform -Active thread: - -- implement browser IDE proxy - Future work: - Tailscale dev access @@ -198,3 +181,5 @@ Future work: - ✅ Dev container filesystem model - ✅ Code-server artifact fix - ✅ API status endpoint for frontend agent-state consumption +- ✅ Dev IDE proxy implementation (API proxy + token system) +- ✅ Dev DNS/Traefik routing experiment — removed