Merge pull request #221 from ProverCoderAI/codex/ci-e2e-ssh-checks

Add browser SSH and project port proxy flows

Author: skulidropek

packages/api/src/api/contracts.ts

@@ -6,6 +6,7 @@ export type AgentStatus = "starting" | "running" | "stopping" | "stopped" | "exi
 
 export type ProjectSummary = {
   readonly id: string
+  readonly projectKey: string
   readonly displayName: string
   readonly repoUrl: string
   readonly repoRef: string
@@ -33,6 +34,29 @@ export type ProjectDetails = ProjectSummary & {
   readonly codexHome: string
 }
 
+export type ProjectPortForwardStatus = "running" | "stopped" | "unknown"
+
+export type ProjectPortForward = {
+  readonly id: string
+  readonly projectId: string
+  readonly projectKey: string
+  readonly targetPort: number
+  readonly hostPort: number
+  readonly bindHost: string
+  readonly publicHost: string
+  readonly proxyPath: string
+  readonly url: string
+  readonly status: ProjectPortForwardStatus
+  readonly containerName: string
+  readonly targetContainerName: string
+  readonly createdAt: string | null
+}
+
+export type ProjectPortForwardRequest = {
+  readonly targetPort: number
+  readonly hostPort?: number | undefined
+}
+
 export type GithubAuthTokenStatus = {
   readonly key: string
   readonly label: string

packages/api/src/api/schema.ts

@@ -124,6 +124,11 @@ export const UpProjectRequestSchema = Schema.Struct({
   useManagedAuthorizedKeys: OptionalBoolean
 })
 
+export const ProjectPortForwardRequestSchema = Schema.Struct({
+  hostPort: Schema.optional(Schema.Number),
+  targetPort: Schema.Number
+})
+
 export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "custom")
 
 export const AgentEnvVarSchema = Schema.Struct({
@@ -201,5 +206,6 @@ export type StateCommitRequestInput = Schema.Schema.Type<typeof StateCommitReque
 export type StateSyncRequestInput = Schema.Schema.Type<typeof StateSyncRequestSchema>
 export type ApplyAllRequestInput = Schema.Schema.Type<typeof ApplyAllRequestSchema>
 export type UpProjectRequestInput = Schema.Schema.Type<typeof UpProjectRequestSchema>
+export type ProjectPortForwardRequestInput = Schema.Schema.Type<typeof ProjectPortForwardRequestSchema>
 export type CreateAgentRequestInput = Schema.Schema.Type<typeof CreateAgentRequestSchema>
 export type CreateFollowRequestInput = Schema.Schema.Type<typeof CreateFollowRequestSchema>

packages/api/src/http.ts

@@ -24,6 +24,7 @@ import {
   GithubAuthLoginRequestSchema,
   GithubAuthLogoutRequestSchema,
   ProjectAuthRequestSchema,
+  ProjectPortForwardRequestSchema,
   StateCommitRequestSchema,
   StateInitRequestSchema,
   StateSyncRequestSchema,
@@ -73,6 +74,13 @@ import {
   upProject
 } from "./services/projects.js"
 import { readProjectAuthSnapshot, runProjectAuthFlow } from "./services/project-auth.js"
+import {
+  createProjectPortForward,
+  deleteProjectPortForward,
+  listProjectPortForwards
+} from "./services/project-port-forwards.js"
+import { proxyProjectPortForward } from "./services/project-port-proxy.js"
+import { parseProjectPortProxyPath } from "./services/project-port-proxy-core.js"
 import { createTerminalSession, deleteTerminalSession } from "./services/terminal-sessions.js"
 import {
   commitStateFromRequest,
@@ -88,6 +96,11 @@ const ProjectParamsSchema = Schema.Struct({
   projectId: Schema.String
 })
 
+const ProjectPortForwardParamsSchema = Schema.Struct({
+  projectId: Schema.String,
+  targetPort: Schema.String
+})
+
 const AgentParamsSchema = Schema.Struct({
   projectId: Schema.String,
   agentId: Schema.String
@@ -169,6 +182,26 @@ const parseQueryInt = (url: string, key: string, fallback: number): number => {
 const hasQueryParam = (url: string, key: string): boolean =>
   new URL(url, "http://localhost").searchParams.has(key)
 
+const parsePortParam = (value: string): Effect.Effect<number, ApiBadRequestError> => {
+  const parsed = Number.parseInt(value, 10)
+  return String(parsed) === value && parsed > 0 && parsed <= 65_535
+    ? Effect.succeed(parsed)
+    : Effect.fail(new ApiBadRequestError({ message: `Invalid port: ${value}` }))
+}
+
+const hostWithoutPort = (host: string): string => {
+  if (host.startsWith("[")) {
+    const end = host.indexOf("]")
+    return end === -1 ? host : host.slice(1, end)
+  }
+  return host.split(":")[0] ?? host
+}
+
+const resolvePortPublicHost = (request: HttpServerRequest.HttpServerRequest): string | undefined => {
+  const host = firstCommaValue(readHeader(request, "x-forwarded-host")) ?? readHeader(request, "host")
+  return host === undefined || host.trim().length === 0 ? undefined : hostWithoutPort(host.trim())
+}
+
 const errorResponse = (error: ApiError | unknown) => {
   if (ParseResult.isParseError(error)) {
     return jsonResponse(
@@ -228,6 +261,7 @@ const errorResponse = (error: ApiError | unknown) => {
 }
 
 const projectParams = HttpRouter.schemaParams(ProjectParamsSchema)
+const projectPortForwardParams = HttpRouter.schemaParams(ProjectPortForwardParamsSchema)
 const agentParams = HttpRouter.schemaParams(AgentParamsSchema)
 const terminalSessionParams = HttpRouter.schemaParams(TerminalSessionParamsSchema)
 const authTerminalSessionParams = HttpRouter.schemaParams(AuthTerminalSessionParamsSchema)
@@ -242,6 +276,7 @@ const readCodexAuthImportRequest = () => HttpServerRequest.schemaBodyJson(CodexA
 const readCodexAuthLoginRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthLoginRequestSchema)
 const readCodexAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthLogoutRequestSchema)
 const readProjectAuthRequest = () => HttpServerRequest.schemaBodyJson(ProjectAuthRequestSchema)
+const readProjectPortForwardRequest = () => HttpServerRequest.schemaBodyJson(ProjectPortForwardRequestSchema)
 const readStateInitRequest = () => HttpServerRequest.schemaBodyJson(StateInitRequestSchema)
 const readStateCommitRequest = () => HttpServerRequest.schemaBodyJson(StateCommitRequestSchema)
 const readStateSyncRequest = () => HttpServerRequest.schemaBodyJson(StateSyncRequestSchema)
@@ -323,6 +358,16 @@ const terminalWebSocketUpgradeResponse = Effect.gen(function*(_) {
   )
 })
 
+const projectPortProxyResponse = Effect.gen(function*(_) {
+  const request = yield* _(HttpServerRequest.HttpServerRequest)
+  const pathname = new URL(request.url, "http://localhost").pathname
+  const target = parseProjectPortProxyPath(pathname)
+  if (target === null) {
+    return yield* _(Effect.fail(new ApiNotFoundError({ message: `Route not found: ${pathname}` })))
+  }
+  return yield* _(proxyProjectPortForward(request, target))
+})
+
 export const makeRouter = () => {
   const withUi = HttpRouter.empty.pipe(
     HttpRouter.get("/", 
@@ -651,6 +696,36 @@ export const makeRouter = () => {
         return yield* _(jsonResponse({ ok: true, snapshot }, 200))
       }).pipe(Effect.catchAll(errorResponse))
     ),
+    HttpRouter.get(
+      "/projects/:projectId/ports",
+      projectParams.pipe(
+        Effect.flatMap(({ projectId }) => listProjectPortForwards(projectId)),
+        Effect.flatMap((forwards) => jsonResponse({ forwards }, 200)),
+        Effect.catchAll(errorResponse)
+      )
+    ),
+    HttpRouter.post(
+      "/projects/:projectId/ports",
+      Effect.gen(function*(_) {
+        const { projectId } = yield* _(projectParams)
+        const request = yield* _(readProjectPortForwardRequest())
+        const serverRequest = yield* _(HttpServerRequest.HttpServerRequest)
+        const forward = yield* _(createProjectPortForward(projectId, request, resolvePortPublicHost(serverRequest)))
+        return yield* _(jsonResponse({ forward }, 201))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.del(
+      "/projects/:projectId/ports/:targetPort",
+      projectPortForwardParams.pipe(
+        Effect.flatMap(({ projectId, targetPort }) =>
+          parsePortParam(targetPort).pipe(
+            Effect.flatMap((port) => deleteProjectPortForward(projectId, port))
+          )
+        ),
+        Effect.flatMap(() => jsonResponse({ ok: true }, 200)),
+        Effect.catchAll(errorResponse)
+      )
+    ),
     HttpRouter.del(
       "/projects/:projectId",
       projectParams.pipe(
@@ -877,6 +952,10 @@ export const makeRouter = () => {
         ),
         Effect.catchAll(errorResponse)
       )
+    ),
+    HttpRouter.all(
+      "*",
+      projectPortProxyResponse.pipe(Effect.catchAll(errorResponse))
     )
   )
 }

packages/api/src/services/project-port-forward-core.ts

@@ -0,0 +1,197 @@
+import { createHash } from "node:crypto"
+
+import type { ProjectPortForward, ProjectPortForwardStatus } from "../api/contracts.js"
+import { projectShortKey, renderForwardProxyPath } from "./project-port-proxy-core.js"
+
+export const portForwardKindLabel = "ai.docker-git.kind"
+export const portForwardKindValue = "port-forward"
+export const portForwardProjectLabel = "ai.docker-git.project-id"
+export const portForwardTargetPortLabel = "ai.docker-git.target-port"
+export const portForwardHostPortLabel = "ai.docker-git.host-port"
+export const portForwardBindHostLabel = "ai.docker-git.bind-host"
+export const portForwardPublicHostLabel = "ai.docker-git.public-host"
+export const portForwardTargetContainerLabel = "ai.docker-git.target-container"
+
+const dockerNameMaxLength = 63
+const defaultHostPortSearchLimit = 200
+
+export type PortForwardRow = {
+  readonly id: string
+  readonly name: string
+  readonly state: string
+  readonly createdAt: string
+  readonly projectId: string
+  readonly targetPort: string
+  readonly hostPort: string
+  readonly bindHost: string
+  readonly publicHost: string
+  readonly targetContainerName: string
+}
+
+export type PortForwardRequestPorts = {
+  readonly targetPort: number
+  readonly hostPort: number | undefined
+}
+
+type PortValidationResult =
+  | { readonly ok: true; readonly port: number }
+  | { readonly ok: false; readonly message: string }
+
+type PortRequestValidationResult =
+  | { readonly ok: true; readonly ports: PortForwardRequestPorts }
+  | { readonly ok: false; readonly message: string }
+
+const sanitizeNameChunk = (value: string): string =>
+  value
+    .toLowerCase()
+    .replace(/[^a-z0-9_.-]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+
+const shortHash = (value: string): string => createHash("sha256").update(value).digest("hex").slice(0, 12)
+
+const normalizeDockerName = (value: string): string => {
+  const sanitized = sanitizeNameChunk(value)
+  const name = sanitized.length === 0 ? "port" : sanitized
+  return name.length <= dockerNameMaxLength ? name : name.slice(0, dockerNameMaxLength)
+}
+
+export const buildPortForwardContainerName = (
+  projectId: string,
+  targetPort: number
+): string => normalizeDockerName(`dg-port-${shortHash(projectId)}-${targetPort}`)
+
+export const validatePort = (value: number, label: string): PortValidationResult =>
+  Number.isInteger(value) && value > 0 && value <= 65_535
+    ? { ok: true, port: value }
+    : { ok: false, message: `${label} must be an integer between 1 and 65535.` }
+
+export const normalizePortForwardRequest = (
+  targetPort: number,
+  hostPort: number | undefined
+): PortRequestValidationResult => {
+  const target = validatePort(targetPort, "targetPort")
+  if (!target.ok) {
+    return target
+  }
+  if (hostPort === undefined) {
+    return { ok: true, ports: { targetPort: target.port, hostPort: undefined } }
+  }
+  const host = validatePort(hostPort, "hostPort")
+  return host.ok
+    ? { ok: true, ports: { targetPort: target.port, hostPort: host.port } }
+    : host
+}
+
+export const selectHostPort = (
+  preferredPort: number,
+  requestedPort: number | undefined,
+  usedPorts: ReadonlySet<number>,
+  searchLimit = defaultHostPortSearchLimit
+): number | null => {
+  if (requestedPort !== undefined) {
+    return usedPorts.has(requestedPort) ? null : requestedPort
+  }
+  for (let port = preferredPort; port <= 65_535 && port < preferredPort + searchLimit; port += 1) {
+    if (!usedPorts.has(port)) {
+      return port
+    }
+  }
+  return null
+}
+
+export const publicHostFromEnv = (fallback = "localhost"): string =>
+  process.env["DOCKER_GIT_PUBLIC_HOST"]?.trim() || fallback
+
+export const bindHostFromEnv = (): string =>
+  process.env["DOCKER_GIT_PUBLIC_BIND_HOST"]?.trim() || "0.0.0.0"
+
+export const projectsRootVolumeFromEnv = (): string =>
+  process.env["DOCKER_GIT_PROJECTS_ROOT_VOLUME"]?.trim() || "docker-git-projects"
+
+export const renderForwardUrl = (publicHost: string, hostPort: number): string =>
+  `http://${publicHost}:${hostPort}`
+
+export const statusFromDockerState = (state: string): ProjectPortForwardStatus => {
+  const normalized = state.trim().toLowerCase()
+  if (normalized === "running") {
+    return "running"
+  }
+  if (normalized === "exited" || normalized === "created" || normalized === "dead" || normalized === "removing") {
+    return "stopped"
+  }
+  return "unknown"
+}
+
+const parseRowPort = (value: string): number => {
+  const parsed = Number.parseInt(value, 10)
+  return Number.isInteger(parsed) ? parsed : 0
+}
+
+export const parsePortForwardRows = (output: string): ReadonlyArray<PortForwardRow> =>
+  output
+    .split(/\r?\n/u)
+    .map((line) => line.trimEnd())
+    .filter((line) => line.length > 0)
+    .flatMap((line) => {
+      const parts = line.split("\t")
+      if (parts.length < 10) {
+        return []
+      }
+      const [id, name, state, createdAt, projectId, targetPort, hostPort, bindHost, publicHost, targetContainerName] = parts
+      return id === undefined ||
+        name === undefined ||
+        state === undefined ||
+        createdAt === undefined ||
+        projectId === undefined ||
+        targetPort === undefined ||
+        hostPort === undefined ||
+        bindHost === undefined ||
+        publicHost === undefined ||
+        targetContainerName === undefined
+        ? []
+        : [{ id, name, state, createdAt, projectId, targetPort, hostPort, bindHost, publicHost, targetContainerName }]
+    })
+
+export const rowToProjectPortForward = (row: PortForwardRow): ProjectPortForward => {
+  const hostPort = parseRowPort(row.hostPort)
+  const publicHost = row.publicHost.trim().length > 0 ? row.publicHost : "localhost"
+  return {
+    bindHost: row.bindHost,
+    containerName: row.name,
+    createdAt: row.createdAt.trim().length === 0 ? null : row.createdAt,
+    hostPort,
+    id: row.id,
+    projectId: row.projectId,
+    projectKey: projectShortKey(row.projectId),
+    proxyPath: renderForwardProxyPath(row.projectId, parseRowPort(row.targetPort)),
+    publicHost,
+    status: statusFromDockerState(row.state),
+    targetContainerName: row.targetContainerName,
+    targetPort: parseRowPort(row.targetPort),
+    url: renderForwardUrl(publicHost, hostPort)
+  }
+}
+
+export const rowsToProjectPortForwards = (rows: ReadonlyArray<PortForwardRow>): ReadonlyArray<ProjectPortForward> =>
+  rows.map(rowToProjectPortForward)
+
+export const buildForwardSshScript = (
+  targetIp: string,
+  sshUser: string,
+  targetPort: number
+): string => [
+  "set -euo pipefail",
+  "KEY=/tmp/docker-git-dev-ssh-key",
+  "cp /docker-git-projects/dev_ssh_key \"$KEY\"",
+  "chmod 600 \"$KEY\"",
+  "exec ssh -N \\",
+  "  -i \"$KEY\" \\",
+  "  -o ExitOnForwardFailure=yes \\",
+  "  -o ServerAliveInterval=30 \\",
+  "  -o ServerAliveCountMax=3 \\",
+  "  -o StrictHostKeyChecking=no \\",
+  "  -o UserKnownHostsFile=/dev/null \\",
+  "  -o LogLevel=ERROR \\",
+  `  -L 0.0.0.0:${targetPort}:127.0.0.1:${targetPort} \\`,
+  `  -p 22 ${sshUser}@${targetIp}`
+].join("\n")