# 2026-03-15 – Dev routing pivot

## Summary

Initial attempt exposed dev IDEs via Cloudflare DNS, Technitium DNS, and
Traefik dynamic routes. Each dev container received its own subdomain.

Example: `dev-6062.zerolaghub.dev`

---

## What Was Confirmed Working

- Code-server artifact fixed — compiled release on `zlh-artifacts`
- Code-server installs and launches inside dev containers
- Process binds to `0.0.0.0:6000`
- Traefik loaded the dynamic config file
- Traefik router and service were created
- API can write remote Traefik config via SSH service account
- API status endpoint added — frontend host/console state now updates correctly

Observed process shape:

```bash
/opt/zlh/services/code-server/lib/node /opt/zlh/services/code-server \
  --bind-addr 0.0.0.0:6000 \
  --auth password \
  /home/dev/workspace
```

Note: `ss` shows process as `node` — expected, code-server runs on Node internally.

---

## What Failed

External browser access to `https://dev-6062.zerolaghub.dev` remained broken.

Issues encountered:

- TLS negotiation failures
- Traefik routing complexity
- DNS automation overhead
- per-container subdomain management
- debugging difficulty across Cloudflare → Traefik → container chain

---

## Decision

Traefik/DNS approach abandoned. Dev IDE routing moving to **API proxy architecture**.

New model:

```
Browser
  ↓
Portal
  ↓
API proxy (/dev/<vmid>/ide)
  ↓
container:6000
```

Advantages:

- eliminates DNS automation
- removes Traefik dependency for dev containers
- simplifies provisioning
- portal JWT controls access
- no per-container TLS

Implementation requirements:

- `http-proxy-middleware` with `ws: true`
- `server.on('upgrade', proxy.upgrade)` — required for WebSocket
- code-server launch args: `--base-path /dev/<vmid>/ide --auth none`
- API verifies container ownership before proxying

---

## Code to Remove from API

These code paths are no longer part of the architecture:

- `createDevRouting()`
- proxy SSH writes for Traefik dynamic files
- Traefik dynamic file creation on provisioning
- Cloudflare/Technitium DNS record creation for dev containers

Game publish flow must remain untouched — only dev routing code is removed.

---

## Additional Dev Access Path

Headscale/Tailscale will be added as an advanced option for developers
who want their local environment (SSH, VS Code Remote, local tools).

Headscale server expected on `zlh-ctl` — status to be confirmed.

Constraints:

- no exit nodes
- `magic_dns: false`
- no DNS takeover on customer machine