jester/zlh-grind
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Update PROJECT_CONTEXT — IDE proxy + token system implemented, API routes documented

Browse Source
This commit is contained in:
jester 2026-03-16 22:11:31 +00:00
parent 36b3645c74
commit a7b93e5e83
1 changed files with 30 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
PROJECT_CONTEXT.md
View File

@ -49,7 +49,7 @@ System posture: stable, controlled expansion phase.
## Stack
**API (zpack-api, VM 1005):** Node.js ESM, Express 5, Prisma 6, MariaDB,
Redis, BullMQ, JWT, Stripe, argon2, ssh2, WebSocket
Redis, BullMQ, JWT, Stripe, argon2, ssh2, WebSocket, http-proxy-middleware
**Portal (zpack-portal, VM 1100):** Next.js 15, TypeScript, TailwindCSS,
Axios, WebSocket console. Sci-fi HUD aesthetic (steel textures, neon
@ -94,69 +94,59 @@ Confirmed:
- code-server process launches and binds to `0.0.0.0:6000`
- frontend host/console state updates correctly via API status endpoint
**Pending agent change:** code-server must be relaunched with `--auth none --base-path /api/dev/<vmid>/ide`
---
## Dev Container Access Model
Dev containers provide two access methods.
### Browser IDE (Primary)
### Browser IDE (Implemented)
```
Browser
Portal
API proxy
API proxy (/api/dev/:id/ide)
container:6000
```
URL format: `/dev/<vmid>/ide`
Portal calls `POST /api/dev/:id/ide-token` first, then opens the returned URL in a new tab. Token is short-lived (300s), signed by API. Proxy accepts token via `Authorization: Bearer` or `?token=` query param. WebSocket upgrades validated with same token.
Benefits:
Containers are never publicly exposed.
- no DNS automation
- no Traefik routing
- no TLS per container
- portal JWT controls access
- ownership validated by API before proxying
### Local Developer Access (Future)
### Local Developer Access (Advanced)
Headscale/Tailscale for SSH, VS Code Remote, local tools.
Headscale server: `zlh-ctl` (status to be confirmed).
Constraints: no exit nodes, `magic_dns: false`.
Advanced users connect via **Tailscale / Headscale**.
### Removed
Benefits:
DNS-per-container + Traefik dynamic routing approach was abandoned.
Code removed from API: `devRouting.js`, `devDePublisher.js`, Traefik file writes.
`proxyClient.js` retained — still used by game edge publish path.
- SSH
- VS Code Remote
- local tooling
---
Headscale server: `zlh-ctl` (status to be confirmed)
## API Routes — Dev IDE
Constraints:
- no exit nodes
- `magic_dns: false`
- no DNS takeover on customer machine
### Removed Approach
The previous model used DNS record per container, Traefik dynamic routes,
and subdomain IDE access. This was removed due to operational complexity,
TLS issues, and per-container DNS automation overhead.
Code paths to remove from API: `createDevRouting()`, proxy SSH writes,
Traefik dynamic file creation.
```
POST /api/dev/:id/ide-token — generate short-lived IDE token
GET /api/dev/:id/ide — proxy to container:6000
GET /api/dev/:id/ide/* — proxy to container:6000
GET /api/servers/:id/status — expose polled agent state to frontend
```
---
## API / Frontend Status
- API polls agent `/status`
- API exposes polled state back to frontend via server status endpoint
- API exposes polled state back to frontend via `GET /api/servers/:id/status`
- Portal no longer relies on stale DB-only state for console availability
- Game publish flow remains untouched — dev routing changes are additive only
- Game publish flow remains untouched
---
@ -186,10 +176,10 @@ Revenue multiplier: 1 developer → ~10 players → $147.50/mo total.
## Open Threads
1. Implement browser IDE proxy (`/dev/:id/ide`) in API
2. Confirm Headscale `zlh-ctl` VM status
3. Curated provenance — tracking install origin
4. Optional future: config diff viewer, upload progress UI, log search
1. Agent: update code-server launch args (`--auth none`, `--base-path /api/dev/<vmid>/ide`)
2. Portal: "Open IDE" button calling `/api/dev/:id/ide-token`
3. Confirm Headscale `zlh-ctl` VM status
4. Curated provenance — tracking install origin
---
@ -218,3 +208,4 @@ All at `git.zerolaghub.com/jester/<repo>`
- VMs 100, 101, 103, 1000 are legacy/unused — not active production
- Do not mark unimplemented work as complete
- Game publish flow must never be modified by dev routing changes
- `proxyClient.js` must not be deleted — used by game edge publish path