jester/zlh-grind
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

Update project context — hosted IDE flow working, Traefik wildcard model current

Browse Source
This commit is contained in:
jester 2026-03-22 21:56:11 +00:00
parent 8f7a4bf5ba
commit c499be3e1e
1 changed files with 61 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
PROJECT_CONTEXT.md
View File

@ -29,9 +29,9 @@ System posture: stable, controlled expansion phase.
| 1001 | zlh-dns | Technitium DNS | | 1001 | zlh-dns | Technitium DNS |
| 1002 | zlh-proxy | Traefik — core/frontend SSL termination (portal traffic) | | 1002 | zlh-proxy | Traefik — core/frontend SSL termination (portal traffic) |
| 1003 | zlh-artifacts | Runtime binaries + Minecraft server jars (agent install source) | | 1003 | zlh-artifacts | Runtime binaries + Minecraft server jars (agent install source) |
| 1004 | zlh-zpack-proxy | Traefik — game server traffic only | | 1004 | zlh-zpack-proxy | Traefik — game/dev edge routing + dev IDE wildcard TLS |
| 1005 | zpack-api | Node.js API | | 1005 | zpack-api | Node.js API |
| 1006 | zlh-zpack-router | Game server router | | 1006 | zlh-zpack-router | Game/dev router |
| 1100 | zpack-portal | Next.js frontend | | 1100 | zpack-portal | Next.js frontend |
| 2001 | zlh-back | PBS backup + Backblaze B2 | | 2001 | zlh-back | PBS backup + Backblaze B2 |
@ -95,24 +95,60 @@ access. Pulls runtimes + server jars from zlh-artifacts (VM 1003).
- code-server detection: `/proc/*/cmdline` scan - code-server detection: `/proc/*/cmdline` scan
- agent port: `18888` - agent port: `18888`
**Current blocking issue:** code-server missing `--base-path /api/dev/<vmid>/ide` Code-server launch model:
in launch args. Causes WS 1006, filesystem provider failure, extension host crash.
Fix is one line in the agent launch script. - binds to `0.0.0.0`
- `--auth none`
- API/hosted flow handles auth and proxying
--- ---
## Dev Container Access Model ## Dev Container Access Model
### Browser IDE (API implemented, agent fix pending) ### Browser IDE (Current Working Model)
``` ```
Browser → Portal → API (/api/dev/:id/ide) → container:6000 Browser
Traefik (dev-<vmid>.zerolaghub.dev, 10.70.0.242)
API (10.60.0.245:4000)
container:6000
``` ```
Portal calls `POST /api/dev/:id/ide-token`, opens returned URL in new tab. Working hosted flow:
Token TTL: 300s. Proxy accepts `Authorization: Bearer` or `?token=`.
WebSocket upgrades validated with same token. 1. frontend calls `POST /api/dev/:id/ide-token`
Containers never publicly exposed. 2. API returns `https://dev-<vmid>.zerolaghub.dev/?token=...`
3. browser opens hosted URL
4. Traefik wildcard router forwards to API at `http://10.60.0.245:4000`
5. API validates token, sets HTTP-only IDE cookie, redirects to clean hosted URL
6. subsequent cookie-backed request proxied to container code-server
7. code-server redirects to `/?folder=/home/dev/workspace`
8. IDE loads successfully
Curl-verified response chain:
- `GET /?token=...``302` + `Set-Cookie`
- `GET /` with cookie → `302` to `/?folder=/home/dev/workspace`
- `GET /?folder=/home/dev/workspace``200` code-server HTML
### Traefik Role
- terminates TLS via wildcard cert `*.zerolaghub.dev` (Let's Encrypt DNS-01 via Cloudflare)
- matches `dev-*.zerolaghub.dev` via `HostRegexp`
- forwards to API at `http://10.60.0.245:4000`
- preserves original `Host` header (`passHostHeader: true`)
- does NOT route directly to containers
### API Role
- extracts vmid from `Host` header via `handleHostedProxy`
- validates short-lived IDE token
- sets HTTP-only `zlh_dev_ide_token` cookie
- redirects token URL to clean hostname URL
- proxies all live code-server HTTP + WebSocket traffic to correct container
### Local Developer Access (Future) ### Local Developer Access (Future)
@ -120,23 +156,27 @@ Headscale/Tailscale for SSH, VS Code Remote, local tools.
Headscale server: `zlh-ctl` (status to be confirmed). Headscale server: `zlh-ctl` (status to be confirmed).
Constraints: no exit nodes, `magic_dns: false`. Constraints: no exit nodes, `magic_dns: false`.
### Removed ### Removed / No Longer Current
DNS-per-container + Traefik dynamic routing abandoned. - path-based `/api/dev/:id/ide` as primary browser entry
Removed from API: `devRouting.js`, `devDePublisher.js`, Traefik file writes. - Caddy-hosted dev IDE edge
`proxyClient.js` retained — still used by game edge publish path. - per-container Traefik file creation from dev provisioning
- per-container Cloudflare/Technitium publish/unpublish from API for dev IDE access
`proxyClient.js` remains in repo — still used by game edge publish logic.
--- ---
## API Routes — Dev IDE ## API Routes — Dev IDE
``` ```
POST /api/dev/:id/ide-token — generate short-lived IDE token POST /api/dev/:id/ide-token — generate short-lived IDE token + hosted URL
GET /api/dev/:id/ide — proxy to container:6000
GET /api/dev/:id/ide/* — proxy to container:6000
GET /api/servers/:id/status — expose polled agent state to frontend
``` ```
Hosted requests land on the API through Traefik using the dev hostname.
API handles host-based vmid extraction, token bootstrap, cookie handoff,
HTTP + WebSocket proxy to code-server.
--- ---
## API / Frontend Status ## API / Frontend Status
@ -174,8 +214,8 @@ Revenue multiplier: 1 developer → ~10 players → $147.50/mo total.
## Open Threads ## Open Threads
1. **Agent:** fix code-server `--base-path /api/dev/<vmid>/ide` — unblocks IDE 1. Verify full browser behavior + WebSocket under hosted wildcard flow
2. **Portal:** "Open IDE" button calling `/api/dev/:id/ide-token` 2. Confirm "Open IDE" button in portal uses hosted URL in production path
3. Confirm Headscale `zlh-ctl` VM status 3. Confirm Headscale `zlh-ctl` VM status
4. Curated provenance — tracking install origin 4. Curated provenance — tracking install origin