From 70bc8e36b60c9fd37615de096838910ba31d0680 Mon Sep 17 00:00:00 2001
From: jester <admin@zerolaghub.com>
Date: Sat, 21 Mar 2026 22:42:38 +0000
Subject: [PATCH] =?UTF-8?q?Update=20open=20threads=20=E2=80=94=20host-base?=
 =?UTF-8?q?d=20IDE=20URL=20blocked=20on=20browser=20HSTS=20cache?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 OPEN_THREADS.md | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md
index b2f8dc0..8fdda3f 100644
--- a/OPEN_THREADS.md
+++ b/OPEN_THREADS.md
@@ -80,7 +80,7 @@ Completed:
 
 ## Dev IDE Access
 
-### Browser IDE ✅ Working
+### Browser IDE ✅ Working (path-based)
 
 ```
 Browser → Portal → API (bootstrap) → /__ide/:id/* → container:8080
@@ -95,20 +95,32 @@ Working flow:
 5. all live code-server HTTP + WS traffic proxied through `/__ide/:id/*`
 6. API proxies to `http://<container-ip>:8080`
 
-Key fixes that made it work:
+### Host-based IDE URL — Caddy edge (BLOCKED)
 
-- token bootstrap fixed new-tab auth loss
-- `/__ide/:id` tunnel separated from bootstrap to avoid API route interference
-- upstream port corrected to `8080` (Chrome blocks `6000` as unsafe)
-- `Host` header changed to pass browser host (`req.headers.host`) not container host
-- `Origin` override removed — browser origin passed through only when present
-- WS proxy separated from shared HTTP proxy — built target-bound WS proxy at upgrade time
-- target-bound WS eliminated `ECONNREFUSED 127.0.0.1:8080` fallback bug
+Goal: open IDE on `dev-<vmid>.zerolaghub.dev` instead of raw API IP.
 
-Current state:
+```
+Browser → dev-6070.zerolaghub.dev → Caddy → 127.0.0.1:4000 → API
+```
 
-- browser still sees API host/IP until portal is behind a proper domain/reverse proxy
-- host-based `dev-<vmid>.zlh.dev` support started but reverted — bootstrap path is canonical
+State:
+- API env vars set: `DEV_IDE_HOST_SUFFIX=zerolaghub.dev`, `DEV_IDE_RETURN_HOSTED_URL=true`
+- API generating correct absolute URL: `http://dev-6070.zerolaghub.dev/?token=...`
+- Caddyfile block correct:
+  ```
+  http://dev-*.zerolaghub.dev {
+      @dev host dev-*.zerolaghub.dev
+      reverse_proxy @dev 127.0.0.1:4000
+  }
+  ```
+- `auto_https off` global option added
+
+Blocking issue: browser HSTS cache forces `zerolaghub.dev` subdomains to HTTPS
+regardless of Caddy config. Need to clear Chrome HSTS cache:
+- `chrome://net-internals/#hsts`
+- Delete `zerolaghub.dev` and `dev-6070.zerolaghub.dev`
+
+Resume here next session.
 
 ### Local Dev Access (Headscale/Tailscale — Future)
 
@@ -135,6 +147,7 @@ Completed:
 - `GET /api/dev/:id/ide` — bootstrap route (validates token, sets cookie, redirects)
 - `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound)
 - dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
+- host-based URL generation (`DEV_IDE_HOST_SUFFIX`, `DEV_IDE_RETURN_HOSTED_URL`)
 
 Outstanding:
 
@@ -183,4 +196,4 @@ Future work:
 - ✅ Crash observability (classification, log tail, exit metadata)
 - ✅ Code-server lifecycle endpoints (start/stop/restart)
 - ✅ Code-server process detection via /proc scan
-- ✅ Dev IDE proxy — browser IDE fully working end-to-end
+- ✅ Dev IDE proxy — browser IDE fully working end-to-end (path-based)