Update open threads — host-based IDE URL blocked on browser HSTS cache

OPEN_THREADS.md

@@ -80,7 +80,7 @@ Completed:
 
 ## Dev IDE Access
 
-### Browser IDE ✅ Working
+### Browser IDE ✅ Working (path-based)
 
 ```
 Browser → Portal → API (bootstrap) → /__ide/:id/* → container:8080
@@ -95,20 +95,32 @@ Working flow:
 5. all live code-server HTTP + WS traffic proxied through `/__ide/:id/*`
 6. API proxies to `http://<container-ip>:8080`
 
-Key fixes that made it work:
+### Host-based IDE URL — Caddy edge (BLOCKED)
 
-- token bootstrap fixed new-tab auth loss
-- `/__ide/:id` tunnel separated from bootstrap to avoid API route interference
-- upstream port corrected to `8080` (Chrome blocks `6000` as unsafe)
-- `Host` header changed to pass browser host (`req.headers.host`) not container host
-- `Origin` override removed — browser origin passed through only when present
-- WS proxy separated from shared HTTP proxy — built target-bound WS proxy at upgrade time
-- target-bound WS eliminated `ECONNREFUSED 127.0.0.1:8080` fallback bug
+Goal: open IDE on `dev-<vmid>.zerolaghub.dev` instead of raw API IP.
 
-Current state:
+```
+Browser → dev-6070.zerolaghub.dev → Caddy → 127.0.0.1:4000 → API
+```
 
-- browser still sees API host/IP until portal is behind a proper domain/reverse proxy
-- host-based `dev-<vmid>.zlh.dev` support started but reverted — bootstrap path is canonical
+State:
+- API env vars set: `DEV_IDE_HOST_SUFFIX=zerolaghub.dev`, `DEV_IDE_RETURN_HOSTED_URL=true`
+- API generating correct absolute URL: `http://dev-6070.zerolaghub.dev/?token=...`
+- Caddyfile block correct:
+  ```
+  http://dev-*.zerolaghub.dev {
+      @dev host dev-*.zerolaghub.dev
+      reverse_proxy @dev 127.0.0.1:4000
+  }
+  ```
+- `auto_https off` global option added
+
+Blocking issue: browser HSTS cache forces `zerolaghub.dev` subdomains to HTTPS
+regardless of Caddy config. Need to clear Chrome HSTS cache:
+- `chrome://net-internals/#hsts`
+- Delete `zerolaghub.dev` and `dev-6070.zerolaghub.dev`
+
+Resume here next session.
 
 ### Local Dev Access (Headscale/Tailscale — Future)
 
@@ -135,6 +147,7 @@ Completed:
 - `GET /api/dev/:id/ide` — bootstrap route (validates token, sets cookie, redirects)
 - `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound)
 - dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
+- host-based URL generation (`DEV_IDE_HOST_SUFFIX`, `DEV_IDE_RETURN_HOSTED_URL`)
 
 Outstanding:
 
@@ -183,4 +196,4 @@ Future work:
 - ✅ Crash observability (classification, log tail, exit metadata)
 - ✅ Code-server lifecycle endpoints (start/stop/restart)
 - ✅ Code-server process detection via /proc scan
-- ✅ Dev IDE proxy — browser IDE fully working end-to-end
+- ✅ Dev IDE proxy — browser IDE fully working end-to-end (path-based)