From c499be3e1ed5d5460341fe0871c8b5d87c2be80f Mon Sep 17 00:00:00 2001 From: jester Date: Sun, 22 Mar 2026 21:56:11 +0000 Subject: [PATCH] =?UTF-8?q?Update=20project=20context=20=E2=80=94=20hosted?= =?UTF-8?q?=20IDE=20flow=20working,=20Traefik=20wildcard=20model=20current?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- PROJECT_CONTEXT.md | 82 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 61 insertions(+), 21 deletions(-) diff --git a/PROJECT_CONTEXT.md b/PROJECT_CONTEXT.md index b810f78..f26a767 100644 --- a/PROJECT_CONTEXT.md +++ b/PROJECT_CONTEXT.md @@ -29,9 +29,9 @@ System posture: stable, controlled expansion phase. | 1001 | zlh-dns | Technitium DNS | | 1002 | zlh-proxy | Traefik — core/frontend SSL termination (portal traffic) | | 1003 | zlh-artifacts | Runtime binaries + Minecraft server jars (agent install source) | -| 1004 | zlh-zpack-proxy | Traefik — game server traffic only | +| 1004 | zlh-zpack-proxy | Traefik — game/dev edge routing + dev IDE wildcard TLS | | 1005 | zpack-api | Node.js API | -| 1006 | zlh-zpack-router | Game server router | +| 1006 | zlh-zpack-router | Game/dev router | | 1100 | zpack-portal | Next.js frontend | | 2001 | zlh-back | PBS backup + Backblaze B2 | @@ -95,24 +95,60 @@ access. Pulls runtimes + server jars from zlh-artifacts (VM 1003). - code-server detection: `/proc/*/cmdline` scan - agent port: `18888` -**Current blocking issue:** code-server missing `--base-path /api/dev//ide` -in launch args. Causes WS 1006, filesystem provider failure, extension host crash. -Fix is one line in the agent launch script. +Code-server launch model: + +- binds to `0.0.0.0` +- `--auth none` +- API/hosted flow handles auth and proxying --- ## Dev Container Access Model -### Browser IDE (API implemented, agent fix pending) +### Browser IDE (Current Working Model) ``` -Browser → Portal → API (/api/dev/:id/ide) → container:6000 +Browser + ↓ +Traefik (dev-.zerolaghub.dev, 10.70.0.242) + ↓ +API (10.60.0.245:4000) + ↓ +container:6000 ``` -Portal calls `POST /api/dev/:id/ide-token`, opens returned URL in new tab. -Token TTL: 300s. Proxy accepts `Authorization: Bearer` or `?token=`. -WebSocket upgrades validated with same token. -Containers never publicly exposed. +Working hosted flow: + +1. frontend calls `POST /api/dev/:id/ide-token` +2. API returns `https://dev-.zerolaghub.dev/?token=...` +3. browser opens hosted URL +4. Traefik wildcard router forwards to API at `http://10.60.0.245:4000` +5. API validates token, sets HTTP-only IDE cookie, redirects to clean hosted URL +6. subsequent cookie-backed request proxied to container code-server +7. code-server redirects to `/?folder=/home/dev/workspace` +8. IDE loads successfully + +Curl-verified response chain: + +- `GET /?token=...` → `302` + `Set-Cookie` +- `GET /` with cookie → `302` to `/?folder=/home/dev/workspace` +- `GET /?folder=/home/dev/workspace` → `200` code-server HTML + +### Traefik Role + +- terminates TLS via wildcard cert `*.zerolaghub.dev` (Let's Encrypt DNS-01 via Cloudflare) +- matches `dev-*.zerolaghub.dev` via `HostRegexp` +- forwards to API at `http://10.60.0.245:4000` +- preserves original `Host` header (`passHostHeader: true`) +- does NOT route directly to containers + +### API Role + +- extracts vmid from `Host` header via `handleHostedProxy` +- validates short-lived IDE token +- sets HTTP-only `zlh_dev_ide_token` cookie +- redirects token URL to clean hostname URL +- proxies all live code-server HTTP + WebSocket traffic to correct container ### Local Developer Access (Future) @@ -120,23 +156,27 @@ Headscale/Tailscale for SSH, VS Code Remote, local tools. Headscale server: `zlh-ctl` (status to be confirmed). Constraints: no exit nodes, `magic_dns: false`. -### Removed +### Removed / No Longer Current -DNS-per-container + Traefik dynamic routing abandoned. -Removed from API: `devRouting.js`, `devDePublisher.js`, Traefik file writes. -`proxyClient.js` retained — still used by game edge publish path. +- path-based `/api/dev/:id/ide` as primary browser entry +- Caddy-hosted dev IDE edge +- per-container Traefik file creation from dev provisioning +- per-container Cloudflare/Technitium publish/unpublish from API for dev IDE access + +`proxyClient.js` remains in repo — still used by game edge publish logic. --- ## API Routes — Dev IDE ``` -POST /api/dev/:id/ide-token — generate short-lived IDE token -GET /api/dev/:id/ide — proxy to container:6000 -GET /api/dev/:id/ide/* — proxy to container:6000 -GET /api/servers/:id/status — expose polled agent state to frontend +POST /api/dev/:id/ide-token — generate short-lived IDE token + hosted URL ``` +Hosted requests land on the API through Traefik using the dev hostname. +API handles host-based vmid extraction, token bootstrap, cookie handoff, +HTTP + WebSocket proxy to code-server. + --- ## API / Frontend Status @@ -174,8 +214,8 @@ Revenue multiplier: 1 developer → ~10 players → $147.50/mo total. ## Open Threads -1. **Agent:** fix code-server `--base-path /api/dev//ide` — unblocks IDE -2. **Portal:** "Open IDE" button calling `/api/dev/:id/ide-token` +1. Verify full browser behavior + WebSocket under hosted wildcard flow +2. Confirm "Open IDE" button in portal uses hosted URL in production path 3. Confirm Headscale `zlh-ctl` VM status 4. Curated provenance — tracking install origin