jester/zlh-grind
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Update OPEN_THREADS — IDE proxy + token system implemented, agent launch arg change next

Browse Source
This commit is contained in:
jester 2026-03-16 22:10:38 +00:00
parent 77c0eeb1f5
commit 36b3645c74
1 changed files with 43 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
OPEN_THREADS.md
View File

@ -54,74 +54,61 @@ Confirmed:
Port: `6000` Port: `6000`
--- **Next session — agent change required:**
### Access Model (Updated) code-server must be relaunched with:
The previous approach using: ```
--auth none
--base-path /api/dev/<vmid>/ide
```
- Cloudflare DNS Reason: API token is now the sole auth mechanism. Password prompt must be removed. Base path required for correct asset loading through proxy.
- Technitium DNS
- Traefik dynamic config per container
has been **abandoned**.
Reason:
- too many moving pieces
- TLS and proxy complexity
- per-container DNS automation
- unnecessary exposure of internal dev services
--- ---
### New Access Strategy ## Dev IDE Access
Dev containers will support **two access paths**. ### Browser IDE (Implemented ✅)
#### Path 1 — Browser IDE (Primary)
``` ```
Browser Browser
Portal Portal
API proxy API (/api/dev/:id/ide)
container:6000 container:6000
``` ```
URL format: `/dev/<vmid>/ide` Implemented in API:
Implementation requirements: - `src/routes/devProxy.js` — proxy route mounted in `src/app.js`
- `GET /api/dev/:id/ide` and `GET /api/dev/:id/ide/*`
- ownership verification before proxying
- `ctype === "dev"` required
- WebSocket support via `http-proxy-middleware` (`ws: true`)
- `server.on('upgrade')` handler wired
- API proxy using `http-proxy-middleware` IDE token system implemented:
- WebSocket support (`ws: true`)
- `server.on('upgrade', proxy.upgrade)`
- code-server launch args: `--base-path /dev/<vmid>/ide --auth none`
Authentication handled by portal JWT. - `POST /api/dev/:id/ide-token` — returns signed short-lived token
- token payload: `sub`, `vmid`, `type: "dev-ide"`
- default TTL: 300 seconds
- env overrides: `API_AUTH_IDE_TTL_SECONDS`, `API_AUTH_IDE_SECRET`
- proxy accepts `Authorization: Bearer` or `?token=<ide-token>`
- WebSocket upgrades validate same token
--- ### Local Dev Access (Headscale/Tailscale — Future)
#### Path 2 — Local Dev Access (Advanced Users) Outstanding:
Direct developer access via **Headscale/Tailscale**.
Use cases:
- SSH
- VS Code Remote
- local development tools
Outstanding tasks:
- confirm `zlh-ctl` Headscale server status - confirm `zlh-ctl` Headscale server status
- implement Tailscale addon install - implement Tailscale addon install in agent
- API auth key generation - API auth key generation
- portal instructions - portal setup instructions
Headscale constraints: Constraints:
- `magic_dns: false` - `magic_dns: false`
- no exit nodes - no exit nodes
@ -131,11 +118,12 @@ Headscale constraints:
## Agent Future Work (priority order) ## Agent Future Work (priority order)
1. Structured logging (slog) for Loki 1. Update code-server launch args (`--auth none`, `--base-path /api/dev/<vmid>/ide`)
2. Dev container provisioningComplete state 2. Structured logging (slog) for Loki
3. Crash recovery backoff 3. Dev container provisioningComplete state
4. Graceful shutdown verification 4. Crash recovery backoff
5. Process reattachment on agent restart 5. Graceful shutdown verification
6. Process reattachment on agent restart
--- ---
@ -146,15 +134,15 @@ Completed:
- dev provisioning payload - dev provisioning payload
- runtime/version fields - runtime/version fields
- enable_code_server flag - enable_code_server flag
- API status endpoint for frontend state - `GET /api/servers/:id/status` — server status endpoint
- `POST /api/dev/:id/ide-token` — IDE token generation
- `GET /api/dev/:id/ide` — IDE proxy route with WebSocket support
- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
Outstanding: Outstanding:
- `/dev/:id/ide` proxy route - dev runtime catalog endpoint for portal
- websocket upgrade handling
- ownership validation before proxy
- Headscale auth key generation - Headscale auth key generation
- dev runtime catalog endpoint
--- ---
@ -169,18 +157,13 @@ Completed:
Outstanding: Outstanding:
- "Open IDE" button - "Open IDE" button — calls `POST /api/dev/:id/ide-token`, opens returned URL in new tab
- `/dev/<vmid>/ide` page
- Headscale setup instructions - Headscale setup instructions
--- ---
## Platform ## Platform
Active thread:
- implement browser IDE proxy
Future work: Future work:
- Tailscale dev access - Tailscale dev access
@ -198,3 +181,5 @@ Future work:
- ✅ Dev container filesystem model - ✅ Dev container filesystem model
- ✅ Code-server artifact fix - ✅ Code-server artifact fix
- ✅ API status endpoint for frontend agent-state consumption - ✅ API status endpoint for frontend agent-state consumption
- ✅ Dev IDE proxy implementation (API proxy + token system)
- ✅ Dev DNS/Traefik routing experiment — removed