Files
pikasTech-unidesk/scripts/src/remote.ts
T
2026-06-11 16:26:35 +00:00

1623 lines
65 KiB
TypeScript

import { spawn } from "node:child_process";
import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
import { tmpdir } from "node:os";
import path from "node:path";
import { type UniDeskConfig } from "./config";
import { type DebugDispatchCommand, isDebugDispatchCommand } from "./debug";
import { summarizeMicroserviceHealthResponse, summarizeMicroserviceObservation, summarizeMicroserviceProxyResponse } from "./microservices";
import { parseNetworkPerfOptions, runNetworkPerf } from "./network-perf";
import {
buildWindowsPowerShellInvocation,
createSshStdoutForwarder,
formatSshFailureHint,
formatSshRuntimeTimeoutHint,
formatSshRuntimeTimingHint,
normalizeSshOperationArgs,
parseSshInvocation,
remoteCommandForRoute,
sshFailureHint,
sshRouteSeparatorCompatibilityHint,
sshRoutePayloadCwd,
sshRuntimeTimeoutHint,
sshRuntimeTimeoutMs,
sshRuntimeTimingHint,
wrapSshRemoteCommand,
type SshCaptureResult,
} from "./ssh";
import {
isSshFileTransferOperation,
runSshFileTransferOperation,
type SshRemoteCommandExecutor,
type SshRemoteCommandStreamHandlers,
} from "./ssh-file-transfer";
import { runApplyPatchV2, type ApplyPatchV2Executor } from "./apply-patch-v2";
import { codexJudgeQueryAsync, codexOutputQueryAsync, codexPrPreflightQueryAsync, codexQueuesQueryAsync, codexTaskQueryAsync, codexTasksQueryAsync, codexUnreadTriageAsync } from "./code-queue";
import { runDecisionCenterCommandAsync } from "./decision-center";
import {
artifactRegistryReadonlyResultFromCommand,
buildArtifactRegistryReadonlyProbe,
parseArtifactRegistryOptions,
} from "./artifact-registry";
import { runCiPublishBackendCoreDryRunPreflight, runCiPublishUserServiceDryRunPreflight } from "./ci";
export interface RemoteCliOptions {
host: string | null;
user: string;
port: number;
projectRoot: string;
identityFile: string | null;
transport: "auto" | "frontend" | "ssh";
args: string[];
}
export type RemoteFailureClassification = "auth-missing" | "remote-proxy-missing" | "provider-unreachable" | "local-docker-required";
export interface AutoRemoteCiPublishPlan {
enabled: boolean;
host: string | null;
reason: string;
failureClassification: RemoteFailureClassification | null;
transport: "frontend";
command: string | null;
}
interface FrontendSession {
baseUrl: string;
cookie: string;
sshClientToken: string | null;
}
interface FetchJsonResult {
ok: boolean;
status?: number;
body?: unknown;
error?: string;
responseHeaders?: Record<string, string>;
responseTruncated?: boolean;
responseBytesRead?: number;
responseContentLength?: string | null;
}
class RemoteCliFailure extends Error {
readonly failureClassification: RemoteFailureClassification;
readonly runnerDisposition = "infra-blocked";
readonly detail: unknown;
constructor(failureClassification: RemoteFailureClassification, message: string, detail?: unknown) {
super(message);
this.name = "RemoteCliFailure";
this.failureClassification = failureClassification;
this.detail = detail ?? null;
}
}
const hostOptions = new Set(["--main-server-ip", "--main-server", "--server"]);
const userOptions = new Set(["--main-server-user", "--server-user"]);
const portOptions = new Set(["--main-server-port", "--server-port"]);
const rootOptions = new Set(["--main-server-root", "--server-root"]);
const keyOptions = new Set(["--main-server-key", "--server-key"]);
const transportOptions = new Set(["--main-server-transport", "--server-transport"]);
const remoteSshInputChunkBytes = 32 * 1024;
function positivePort(raw: string, option: string): number {
const value = Number(raw);
if (!Number.isInteger(value) || value <= 0 || value > 65535) throw new Error(`${option} must be a TCP port from 1 to 65535`);
return value;
}
function requiredValue(argv: string[], index: number, option: string): string {
const value = argv[index + 1];
if (value === undefined || value.length === 0) throw new Error(`${option} requires a non-empty value`);
return value;
}
function transportValue(raw: string, option: string): RemoteCliOptions["transport"] {
if (raw === "auto" || raw === "frontend" || raw === "ssh") return raw;
throw new Error(`${option} must be one of: auto, frontend, ssh`);
}
function truthyDisabled(raw: string | undefined): boolean {
if (raw === undefined) return false;
const normalized = raw.trim().toLowerCase();
return normalized === "0" || normalized === "false" || normalized === "off" || normalized === "disabled";
}
function normalizeRemoteHostHint(raw: string | undefined): string | null {
const value = raw?.trim() ?? "";
if (value.length === 0) return null;
if (value === "localhost" || value === "127.0.0.1" || value === "::1") return null;
return value.replace(/\/+$/u, "");
}
function remoteHttpClientMode(env: NodeJS.ProcessEnv = process.env): "curl" | "fetch" {
const explicit = env.UNIDESK_REMOTE_HTTP_CLIENT?.trim().toLowerCase();
if (explicit === "fetch") return "fetch";
if (explicit === "curl") return "curl";
return isCodeQueueRunnerEnv(env) ? "curl" : "fetch";
}
function isCodeQueueRunnerEnv(env: NodeJS.ProcessEnv): boolean {
return Boolean(env.CODE_QUEUE_SERVICE_ROLE || env.CODE_QUEUE_INSTANCE_ID || env.CODE_QUEUE_DEV_CONTAINER_MASTER_HOST || env.KUBERNETES_SERVICE_HOST);
}
export function autoRemoteCiPublishUserServiceDryRunPlan(
config: UniDeskConfig,
args: string[],
env: NodeJS.ProcessEnv = process.env,
): AutoRemoteCiPublishPlan {
const [top, sub] = args;
const isPublishDryRun = top === "ci" && (sub === "publish-user-service" || sub === "publish-backend-core") && args.includes("--dry-run");
if (!isPublishDryRun) {
return { enabled: false, host: null, reason: "not ci publish-user-service/publish-backend-core --dry-run", failureClassification: null, transport: "frontend", command: null };
}
if (truthyDisabled(env.UNIDESK_CI_PUBLISH_AUTO_REMOTE)) {
return { enabled: false, host: null, reason: "UNIDESK_CI_PUBLISH_AUTO_REMOTE disables automatic remote preflight", failureClassification: "local-docker-required", transport: "frontend", command: null };
}
const explicitHost = normalizeRemoteHostHint(env.CODE_QUEUE_DEV_CONTAINER_MASTER_HOST)
?? normalizeRemoteHostHint(env.UNIDESK_MAIN_SERVER_IP)
?? normalizeRemoteHostHint(env.UNIDESK_MAIN_SERVER_HOST);
const host = explicitHost ?? (isCodeQueueRunnerEnv(env) ? normalizeRemoteHostHint(config.network.publicHost) : null);
if (host === null) {
return { enabled: false, host: null, reason: "no remote main-server frontend host was detected for this runner", failureClassification: "local-docker-required", transport: "frontend", command: null };
}
return {
enabled: true,
host,
reason: explicitHost === null
? "Code Queue runner environment detected; using config.network.publicHost as the frontend control-plane"
: "runner remote main-server frontend host detected",
failureClassification: null,
transport: "frontend",
command: ["bun", "scripts/cli.ts", "--main-server-ip", host, ...args].join(" "),
};
}
export function extractRemoteCliOptions(argv: string[]): RemoteCliOptions {
const rest: string[] = [];
const options: RemoteCliOptions = {
host: null,
user: "root",
port: 22,
projectRoot: "/root/unidesk",
identityFile: null,
transport: "auto",
args: rest,
};
for (let index = 0; index < argv.length; index += 1) {
const arg = argv[index] ?? "";
if (arg === "--") {
if (rest.length === 0) {
rest.push(...argv.slice(index + 1));
break;
}
rest.push(arg);
continue;
}
if (hostOptions.has(arg)) {
options.host = requiredValue(argv, index, arg);
index += 1;
continue;
}
if (userOptions.has(arg)) {
options.user = requiredValue(argv, index, arg);
index += 1;
continue;
}
if (portOptions.has(arg)) {
options.port = positivePort(requiredValue(argv, index, arg), arg);
index += 1;
continue;
}
if (rootOptions.has(arg)) {
options.projectRoot = requiredValue(argv, index, arg);
index += 1;
continue;
}
if (keyOptions.has(arg)) {
options.identityFile = requiredValue(argv, index, arg);
index += 1;
continue;
}
if (transportOptions.has(arg)) {
options.transport = transportValue(requiredValue(argv, index, arg), arg);
index += 1;
continue;
}
rest.push(arg);
}
return options;
}
function shellQuote(value: string): string {
return `'${value.replace(/'/g, `'\\''`)}'`;
}
async function runRemoteCliOverSsh(options: RemoteCliOptions): Promise<number> {
if (options.host === null) throw new Error("runRemoteCli requires --main-server-ip or --server");
const remoteArgs = options.args.length === 0 ? ["help"] : options.args;
const remoteCommand = [
"cd",
shellQuote(options.projectRoot),
"&&",
"exec",
"bun",
"scripts/cli.ts",
...remoteArgs.map(shellQuote),
].join(" ");
const sshArgs = [
"-p",
String(options.port),
"-o",
"BatchMode=yes",
"-o",
"StrictHostKeyChecking=accept-new",
"-o",
"ServerAliveInterval=20",
"-o",
"ServerAliveCountMax=3",
];
if (options.identityFile !== null) sshArgs.push("-i", options.identityFile);
sshArgs.push(`${options.user}@${options.host}`, remoteCommand);
const child = spawn("ssh", sshArgs, {
stdio: ["inherit", "inherit", "inherit"],
});
return await new Promise<number>((resolve) => {
child.on("error", (error) => {
process.stderr.write(`unidesk remote cli failed to start ssh: ${error.message}\n`);
resolve(127);
});
child.on("close", (code) => resolve(code ?? 255));
});
}
function emitRemoteJson(command: string, data: unknown, ok = true): void {
process.stdout.write(`${JSON.stringify({ ok, command, data }, null, 2)}\n`);
}
function emitRemoteError(command: string, error: unknown): void {
const payload = error instanceof Error
? { name: error.name, message: error.message, stack: error.stack ?? null }
: { message: String(error) };
const classification = error instanceof RemoteCliFailure
? {
failureClassification: error.failureClassification,
runnerDisposition: error.runnerDisposition,
retryable: error.failureClassification !== "auth-missing",
detail: error.detail,
recoveryHints: remoteFailureRecoveryHints(error.failureClassification),
}
: null;
process.stdout.write(`${JSON.stringify({
ok: false,
command,
...(classification === null ? {} : classification),
error: payload,
}, null, 2)}\n`);
}
function remoteFailureRecoveryHints(classification: RemoteFailureClassification): string[] {
if (classification === "auth-missing") {
return [
"verify config.json frontend auth.username/auth.password against the remote main-server frontend login",
"retry the same command through --main-server-ip after credentials are restored",
];
}
if (classification === "remote-proxy-missing") {
return [
"verify the remote frontend is reachable on the configured public frontend port",
"verify frontend can proxy /api to backend-core before retrying artifact publish preflight",
];
}
if (classification === "provider-unreachable") {
return [
"verify backend-core /api/dispatch can create D601 host.ssh tasks",
"verify the D601 provider-gateway host.ssh capability and artifact registry health",
];
}
return [
"run this read-only preflight with --main-server-ip <host> from runner environments without local backend-core/database containers",
];
}
function commandName(args: string[]): string {
return args.join(" ") || "help";
}
function frontendBaseUrl(host: string, config: UniDeskConfig): string {
if (host.startsWith("http://") || host.startsWith("https://")) return host.replace(/\/+$/, "");
if (/:\d+$/.test(host)) return `http://${host}`;
return `http://${host}:${config.network.frontend.port}`;
}
async function readJson(url: string, init?: RequestInit, timeoutMs = 8000, maxResponseBytes = 5_000_000): Promise<FetchJsonResult> {
if (remoteHttpClientMode() === "curl") return readJsonWithCurl(url, init, timeoutMs, maxResponseBytes);
const controller = new AbortController();
const timer = setTimeout(() => controller.abort(), timeoutMs);
try {
const res = await fetch(url, { ...init, signal: controller.signal });
const reader = res.body?.getReader();
const chunks: Uint8Array[] = [];
let bytes = 0;
let responseTruncated = false;
if (reader !== undefined) {
while (true) {
const { done, value } = await reader.read();
if (done) break;
if (bytes + value.byteLength > maxResponseBytes) {
const keep = Math.max(0, maxResponseBytes - bytes);
if (keep > 0) {
chunks.push(value.slice(0, keep));
bytes += keep;
}
responseTruncated = true;
try {
await reader.cancel();
} catch {
// Ignore cancel failures after the bounded preview has been collected.
}
break;
}
chunks.push(value);
bytes += value.byteLength;
}
}
const buffer = new Uint8Array(bytes);
let offset = 0;
for (const chunk of chunks) {
buffer.set(chunk, offset);
offset += chunk.byteLength;
}
const text = new TextDecoder().decode(buffer);
let body: unknown = null;
try {
body = text.length > 0 && !responseTruncated ? JSON.parse(text) : null;
} catch {
body = { text };
}
if (responseTruncated) {
body = { _unideskResponseTruncated: true, maxResponseBytes, bytesRead: bytes, contentLength: res.headers.get("content-length"), textPreview: text };
}
return { ok: res.ok, status: res.status, body, responseHeaders: responseHeadersRecord(res.headers), responseTruncated, responseBytesRead: bytes, responseContentLength: res.headers.get("content-length") };
} catch (error) {
return { ok: false, error: error instanceof Error ? error.message : String(error) };
} finally {
clearTimeout(timer);
}
}
function responseHeadersRecord(headers: Headers): Record<string, string> {
const record: Record<string, string> = {};
headers.forEach((value, key) => {
record[key.toLowerCase()] = value;
});
return record;
}
function requestHeaders(init?: RequestInit): Array<[string, string]> {
const headers = new Headers(init?.headers);
const output: Array<[string, string]> = [];
headers.forEach((value, key) => output.push([key, value]));
return output;
}
async function runCurl(args: string[], timeoutMs: number): Promise<{ status: number | null; stdout: string; stderr: string; timedOut: boolean; error?: string }> {
const child = spawn("curl", args, { stdio: ["ignore", "pipe", "pipe"] });
const stdoutChunks: Buffer[] = [];
const stderrChunks: Buffer[] = [];
let timedOut = false;
const timer = setTimeout(() => {
timedOut = true;
child.kill("SIGTERM");
}, timeoutMs + 1000);
child.stdout?.on("data", (chunk) => stdoutChunks.push(Buffer.from(chunk)));
child.stderr?.on("data", (chunk) => stderrChunks.push(Buffer.from(chunk)));
return await new Promise((resolve) => {
child.on("error", (error) => {
clearTimeout(timer);
resolve({ status: null, stdout: "", stderr: "", timedOut, error: error.message });
});
child.on("close", (status) => {
clearTimeout(timer);
resolve({
status,
stdout: Buffer.concat(stdoutChunks).toString("utf8"),
stderr: Buffer.concat(stderrChunks).toString("utf8"),
timedOut,
});
});
});
}
function parseCurlResponseHeaders(raw: string): Record<string, string> {
const blocks = raw.split(/\r?\n\r?\n/u).map((block) => block.trim()).filter(Boolean);
const latest = blocks.at(-1) ?? "";
const headers: Record<string, string> = {};
for (const line of latest.split(/\r?\n/u).slice(1)) {
const splitAt = line.indexOf(":");
if (splitAt <= 0) continue;
headers[line.slice(0, splitAt).trim().toLowerCase()] = line.slice(splitAt + 1).trim();
}
return headers;
}
function decodeBoundedBody(buffer: Buffer, maxResponseBytes: number): { text: string; truncated: boolean; bytesRead: number } {
if (buffer.byteLength <= maxResponseBytes) return { text: buffer.toString("utf8"), truncated: false, bytesRead: buffer.byteLength };
return { text: buffer.subarray(0, maxResponseBytes).toString("utf8"), truncated: true, bytesRead: maxResponseBytes };
}
async function readJsonWithCurl(url: string, init?: RequestInit, timeoutMs = 8000, maxResponseBytes = 5_000_000): Promise<FetchJsonResult> {
const dir = await mkdtemp(path.join(tmpdir(), "unidesk-remote-http-"));
const headersFile = path.join(dir, "headers.txt");
const bodyFile = path.join(dir, "body.bin");
const requestBodyFile = path.join(dir, "request-body.bin");
try {
const method = init?.method ?? (init?.body === undefined ? "GET" : "POST");
const args = [
"-sS",
"--max-time", String(Math.max(1, Math.ceil(timeoutMs / 1000))),
"-D", headersFile,
"-o", bodyFile,
"-w", "%{http_code}",
"-X", method,
];
for (const [key, value] of requestHeaders(init)) args.push("-H", `${key}: ${value}`);
if (init?.body !== undefined) {
await writeFile(requestBodyFile, typeof init.body === "string" ? init.body : String(init.body));
args.push("--data-binary", `@${requestBodyFile}`);
}
args.push(url);
const curl = await runCurl(args, timeoutMs);
if (curl.status !== 0) {
const curlError = curl.error ?? curl.stderr.trim();
return {
ok: false,
status: curl.stdout.trim().match(/^\d{3}$/u) ? Number(curl.stdout.trim()) : undefined,
error: curl.timedOut ? `curl timed out after ${timeoutMs}ms` : (curlError.length > 0 ? curlError : `curl exited with ${curl.status}`),
};
}
const status = Number(curl.stdout.trim());
const headersText = await readFile(headersFile, "utf8").catch(() => "");
const responseHeaders = parseCurlResponseHeaders(headersText);
const bodyBuffer = await readFile(bodyFile).catch(() => Buffer.alloc(0));
const decoded = decodeBoundedBody(bodyBuffer, maxResponseBytes);
let body: unknown = null;
try {
body = decoded.text.length > 0 && !decoded.truncated ? JSON.parse(decoded.text) : null;
} catch {
body = { text: decoded.text };
}
if (decoded.truncated) {
body = {
_unideskResponseTruncated: true,
maxResponseBytes,
bytesRead: decoded.bytesRead,
contentLength: responseHeaders["content-length"] ?? null,
textPreview: decoded.text,
};
}
return {
ok: status >= 200 && status < 300,
status,
body,
responseHeaders,
responseTruncated: decoded.truncated,
responseBytesRead: decoded.bytesRead,
responseContentLength: responseHeaders["content-length"] ?? null,
};
} catch (error) {
return { ok: false, error: error instanceof Error ? error.message : String(error) };
} finally {
await rm(dir, { recursive: true, force: true }).catch(() => undefined);
}
}
async function loginFrontend(host: string, config: UniDeskConfig): Promise<FrontendSession> {
const baseUrl = frontendBaseUrl(host, config);
const res = await readJson(`${baseUrl}/login`, {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ username: config.auth.username, password: config.auth.password }),
}, 8_000, 120_000);
if (!res.ok) {
const failureClassification: RemoteFailureClassification = res.status === 401 || res.status === 403 ? "auth-missing" : "remote-proxy-missing";
throw new RemoteCliFailure(failureClassification, `frontend login failed via ${baseUrl}: status=${res.status ?? "unknown"} body=${JSON.stringify(res.body ?? res.error).slice(0, 300)}`, { baseUrl, status: res.status ?? null });
}
const cookie = res.responseHeaders?.["set-cookie"]?.split(";")[0] ?? "";
if (cookie.length === 0) throw new RemoteCliFailure("auth-missing", `frontend login via ${baseUrl} did not return a session cookie`, { baseUrl, status: res.status ?? null });
return { baseUrl, cookie, sshClientToken: null };
}
function sshClientTokenFromEnv(env: NodeJS.ProcessEnv = process.env): string | null {
const token = env.UNIDESK_SSH_CLIENT_TOKEN?.trim() ?? "";
return token.length > 0 ? token : null;
}
function scopedSshFrontendSession(host: string, config: UniDeskConfig, token: string): FrontendSession {
return { baseUrl: frontendBaseUrl(host, config), cookie: "", sshClientToken: token };
}
export async function runRemoteSshCommandCapture(
config: UniDeskConfig,
host: string,
target: string,
args: string[],
input?: string,
env: NodeJS.ProcessEnv = process.env,
): Promise<SshCaptureResult> {
const token = sshClientTokenFromEnv(env);
const session = token === null
? await loginFrontend(host, config)
: scopedSshFrontendSession(host, config, token);
const normalizedArgs = normalizeSshOperationArgs(args);
const invocation = parseSshInvocation(target, normalizedArgs);
const parsed = invocation.parsed;
if (parsed.remoteCommand === null) throw new Error(`remote ssh ${target} capture requires a non-interactive operation`);
const stdin = parsed.stdinPrefix !== undefined || parsed.stdinSuffix !== undefined
? `${parsed.stdinPrefix ?? ""}${input ?? ""}${parsed.stdinSuffix ?? ""}`
: input;
return await runRemoteSshWebSocketCaptureRemoteCommand(session, invocation, parsed.remoteCommand, stdin);
}
async function frontendJson(session: FrontendSession, path: string, init?: RequestInit, timeoutMs = 8000, maxResponseBytes = 5_000_000): Promise<FetchJsonResult> {
const headers = new Headers(init?.headers);
headers.set("cookie", session.cookie);
if (init?.body !== undefined && !headers.has("content-type")) headers.set("content-type", "application/json");
return readJson(`${session.baseUrl}${path}`, { ...init, headers }, timeoutMs, maxResponseBytes);
}
function stringOption(args: string[], name: string): string | undefined {
const index = args.indexOf(name);
if (index === -1) return undefined;
const raw = args[index + 1];
if (raw === undefined || raw.length === 0) throw new Error(`${name} requires a non-empty value`);
return raw;
}
function numberOption(args: string[], name: string, defaultValue: number): number {
const raw = stringOption(args, name);
if (raw === undefined) return defaultValue;
const value = Number(raw);
if (!Number.isInteger(value) || value <= 0) throw new Error(`${name} must be a positive integer`);
return value;
}
function cappedNumberOption(args: string[], name: string, defaultValue: number, maxValue: number): number {
return Math.min(numberOption(args, name, defaultValue), maxValue);
}
function jsonOption(args: string[], name: string): Record<string, unknown> | undefined {
const raw = stringOption(args, name);
if (raw === undefined) return undefined;
const parsed = JSON.parse(raw) as unknown;
if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) throw new Error(`${name} must be a JSON object`);
return parsed as Record<string, unknown>;
}
function dispatchPayload(args: string[], command: DebugDispatchCommand): Record<string, unknown> {
const explicit = jsonOption(args, "--payload-json") ?? {};
if (command === "provider.upgrade") {
return { source: "cli-remote", mode: stringOption(args, "--mode") ?? stringOption(args, "--upgrade-mode") ?? "plan", ...explicit };
}
if (command === "host.ssh") {
const sshCommand = stringOption(args, "--ssh-command");
return {
source: "cli-remote",
mode: sshCommand === undefined ? "probe" : "exec",
...(sshCommand === undefined ? {} : { command: sshCommand }),
...(stringOption(args, "--cwd") === undefined ? {} : { cwd: stringOption(args, "--cwd") }),
...(args.includes("--timeout-ms") ? { timeoutMs: numberOption(args, "--timeout-ms", 8000) } : {}),
...explicit,
};
}
return { source: "cli-remote", ...explicit };
}
function summarizeSystemStatus(response: FetchJsonResult): FetchJsonResult {
const body = response.body as { systemStatuses?: Array<Record<string, unknown>>; ok?: boolean } | null;
const systemStatuses = (body?.systemStatuses ?? []).map((item) => {
const current = (item.current ?? {}) as Record<string, unknown>;
const history = Array.isArray(item.history) ? item.history : [];
return {
providerId: item.providerId,
name: item.name,
nodeStatus: item.nodeStatus,
updatedAt: item.updatedAt,
current: item.current === null || item.current === undefined ? null : {
ok: current.ok,
collectedAt: current.collectedAt,
cpu: current.cpu,
memory: current.memory,
disk: current.disk,
},
historyPreview: history.slice(-8),
historyCount: history.length,
};
});
return { ...response, body: { ok: body?.ok === true, systemStatuses } };
}
function summarizeDockerStatus(response: FetchJsonResult): FetchJsonResult {
const body = response.body as { dockerStatuses?: Array<Record<string, unknown>>; ok?: boolean } | null;
const dockerStatuses = (body?.dockerStatuses ?? []).map((item) => {
const status = (item.dockerStatus ?? {}) as Record<string, unknown>;
const containers = Array.isArray(status.containers) ? status.containers : [];
return {
providerId: item.providerId,
name: item.name,
nodeStatus: item.nodeStatus,
updatedAt: item.updatedAt,
dockerStatus: {
ok: status.ok,
socketPresent: status.socketPresent,
collectedAt: status.collectedAt,
counts: status.counts,
daemon: status.daemon,
containersPreview: containers.slice(0, 8),
},
};
});
return { ...response, body: { ok: body?.ok === true, dockerStatuses } };
}
async function waitForFrontendTask(session: FrontendSession, taskId: string, timeoutMs: number): Promise<unknown> {
const started = Date.now();
let latest: unknown = null;
while (Date.now() - started < timeoutMs) {
latest = await frontendJson(session, `/api/tasks/${encodeURIComponent(taskId)}`, undefined, 8000, 5_000_000);
const body = latest as { body?: { task?: { id?: string; status?: string; result?: unknown } } };
const task = body.body?.task;
if (task?.status === "succeeded" || task?.status === "failed") return { ok: true, task };
await Bun.sleep(500);
}
return { ok: false, timeoutMs, latest };
}
async function remoteHealth(session: FrontendSession, config: UniDeskConfig): Promise<unknown> {
return {
transport: "frontend",
frontendPublic: await readJson(`${session.baseUrl}/health`),
providerIngressPublic: await readJson(`http://${new URL(session.baseUrl).hostname}:${config.network.providerIngress.port}/health`),
overviewInternal: await frontendJson(session, "/api/overview"),
nodesInternal: await frontendJson(session, "/api/nodes"),
systemStatusInternal: summarizeSystemStatus(await frontendJson(session, "/api/nodes/system-status?limit=24")),
dockerStatusInternal: summarizeDockerStatus(await frontendJson(session, "/api/nodes/docker-status")),
publicExposureBoundary: {
coreHostPort: { port: config.network.core.port, expected: "not-exposed" },
databaseHostPort: { port: config.network.database.port, expected: "restricted-to-code-queue-provider" },
oaEventFlowHostPort: { port: 4255, expected: "restricted-to-code-queue-provider" },
},
};
}
async function remoteDebugDispatch(session: FrontendSession, config: UniDeskConfig, args: string[]): Promise<unknown> {
const third = args[2];
const fourth = args[3];
const providerId = isDebugDispatchCommand(third) ? config.providerGateway.id : third ?? config.providerGateway.id;
const commandArg = isDebugDispatchCommand(third) ? third : fourth;
const dispatchCommand = isDebugDispatchCommand(commandArg) ? commandArg : "docker.ps";
const dispatch = await frontendJson(session, "/api/dispatch", {
method: "POST",
body: JSON.stringify({ providerId, command: dispatchCommand, payload: dispatchPayload(args, dispatchCommand) }),
});
const taskId = (dispatch as { body?: { taskId?: string } }).body?.taskId ?? "";
const waitMs = numberOption(args, "--wait-ms", 0);
const wait = waitMs > 0 && taskId.length > 0 ? await waitForFrontendTask(session, taskId, waitMs) : null;
return { transport: "frontend", dispatch, wait };
}
async function remoteDebugTask(session: FrontendSession, args: string[]): Promise<unknown> {
const taskId = args[2] ?? "latest";
const tasksResponse = await frontendJson(session, "/api/tasks?limit=100");
const tasks = (tasksResponse as { body?: { tasks?: Array<{ id?: string }> } }).body?.tasks ?? [];
const task = taskId === "latest" ? tasks[0] : tasks.find((item) => item.id === taskId);
return { transport: "frontend", tasksResponse, taskId, task: task ?? null };
}
export function summarizeRemoteMicroserviceResponse(action: string, id: string, response: unknown, args: string[]): unknown {
const optionArgs = args.slice(3);
if (action === "health") return summarizeMicroserviceHealthResponse(response, optionArgs, id);
if (action === "status" || action === "diagnostics") return summarizeMicroserviceObservation(action, id, response, optionArgs);
return response;
}
async function remoteMicroservice(session: FrontendSession, args: string[]): Promise<unknown> {
const action = args[1] ?? "list";
const id = args[2];
const path = args[3];
if (action === "list") {
return { transport: "frontend", response: await frontendJson(session, "/api/microservices", undefined, 12_000) };
}
if ((action === "status" || action === "health" || action === "diagnostics" || action === "tunnel-self-test") && id !== undefined) {
const response = await frontendJson(session, `/api/microservices/${encodeURIComponent(id)}/${action}`, undefined, 18_000);
return {
transport: "frontend",
response: summarizeRemoteMicroserviceResponse(action, id, response, args),
};
}
if (action === "proxy" && id !== undefined && path !== undefined && path.startsWith("/")) {
const full = args.includes("--full");
const raw = args.includes("--raw");
const maxBodyBytes = full ? numberOption(args, "--max-body-bytes", 5_000_000) : cappedNumberOption(args, "--max-body-bytes", raw ? 120_000 : 60_000, 500_000);
const maxResponseBytes = full ? Math.min(Math.max(maxBodyBytes, 120_000), 5_000_000) : Math.min(Math.max(maxBodyBytes * 3, 240_000), 1_500_000);
const response = await frontendJson(session, `/api/microservices/${encodeURIComponent(id)}/proxy${path}`, undefined, 24_000, maxResponseBytes);
return {
transport: "frontend",
response: summarizeMicroserviceProxyResponse(response, args),
};
}
throw new Error("remote microservice command must be: microservice list | status <id> | health <id> | diagnostics <id> | tunnel-self-test <id> | proxy <id> <path>");
}
function commandResultFromFrontendTask(command: string[], task: { status?: string; result?: Record<string, unknown> } | undefined) {
const result = task?.result ?? {};
const stdout = typeof result.stdout === "string" ? result.stdout : "";
const stderr = typeof result.stderr === "string" ? result.stderr : "";
return {
command,
cwd: ".",
exitCode: typeof result.exitCode === "number" ? result.exitCode : null,
stdout,
stderr,
signal: null,
timedOut: result.timedOut === true || (task?.status !== "succeeded" && /timeout|timed out/iu.test(stderr)),
};
}
async function dispatchHostSshJson(
session: FrontendSession,
providerId: string,
command: string,
timeoutMs: number,
waitMs = Math.max(timeoutMs + 5000, 20_000),
): Promise<{ dispatch: FetchJsonResult; wait: unknown; task?: { status?: string; result?: Record<string, unknown> }; taskId: string | null }> {
const dispatch = await frontendJson(session, "/api/dispatch", {
method: "POST",
body: JSON.stringify({
providerId,
command: "host.ssh",
payload: { source: "cli-remote-artifact-registry", mode: "exec", command, timeoutMs },
}),
});
const taskId = (dispatch as { body?: { taskId?: string } }).body?.taskId ?? "";
const wait = taskId.length > 0 ? await waitForFrontendTask(session, taskId, waitMs) : null;
const task = (wait as { task?: { status?: string; result?: Record<string, unknown> } } | null)?.task;
return { dispatch, wait, task, taskId: taskId.length > 0 ? taskId : null };
}
async function remoteArtifactRegistry(session: FrontendSession, args: string[]): Promise<unknown> {
const action = args[1] ?? "status";
if (action !== "status" && action !== "health") {
throw new Error("remote frontend transport supports artifact-registry status|health only; use main-server SSH for mutating install/deploy commands");
}
const options = parseArtifactRegistryOptions(args.slice(2));
const probe = buildArtifactRegistryReadonlyProbe(action, options);
const dispatched = await dispatchHostSshJson(session, probe.providerId, probe.script, probe.timeoutMs);
const command = ["frontend", "/api/dispatch", probe.providerId, "host.ssh", action];
const result = commandResultFromFrontendTask(command, dispatched.task);
const registryResult = artifactRegistryReadonlyResultFromCommand(probe, result);
const dispatchBody = dispatched.dispatch.body as Record<string, unknown> | null | undefined;
const dispatchError = typeof dispatchBody?.error === "string" ? dispatchBody.error : null;
return {
transport: "frontend",
readonly: true,
dispatch: dispatched.dispatch,
wait: dispatched.wait,
result: dispatched.taskId === null
? {
ok: false,
readonly: true,
installed: false,
healthy: false,
decision: "infra-blocked",
retryable: true,
runnerDisposition: "infra-blocked",
failureClassification: "control-plane-missing",
recommendedAction: "restore the remote frontend/backend-core dispatch control plane, then rerun artifact-registry status|health",
healthyScopes: [],
failedScopes: ["control-plane-missing", "backend-core-api"],
runtimeApiHealthy: false,
channels: [
{ channel: "backend-core-api", ok: false, requiredFor: "frontend /api/dispatch backend-core session creation", detail: dispatched.dispatch },
{ channel: "provider-dispatch", ok: false, requiredFor: "host.ssh task creation", detail: dispatched.dispatch },
],
controlPlane: {
transport: "remote-frontend",
failureClassification: "control-plane-missing",
dispatchStatus: dispatched.dispatch.status ?? null,
dispatchError,
},
registry: registryResult,
}
: registryResult,
};
}
async function remoteCi(session: FrontendSession, config: UniDeskConfig, args: string[]): Promise<unknown> {
const action = args[1] ?? "status";
if ((action !== "publish-user-service" && action !== "publish-backend-core") || !args.includes("--dry-run")) {
throw new Error("remote frontend transport supports only ci publish-user-service --dry-run and ci publish-backend-core --dry-run preflight; real CI publication must run from the controlled main-server CLI after preflight is ready");
}
const transport = {
kind: "remote-frontend" as const,
remoteHost: session.baseUrl,
coreFetch: (path: string, init?: { method?: string; body?: unknown; maxResponseBytes?: number }) => frontendJson(session, path, init === undefined ? undefined : {
method: init.method,
body: init.body === undefined ? undefined : JSON.stringify(init.body),
}, 12_000, init?.maxResponseBytes ?? 500_000),
dispatchHostSsh: async (command: string, waitMs: number, remoteTimeoutMs: number) => {
const dispatched = await dispatchHostSshJson(session, "D601", command, remoteTimeoutMs, waitMs);
const task = dispatched.task;
const result = task?.result ?? {};
return {
ok: task?.status === "succeeded" && (typeof result.exitCode !== "number" || result.exitCode === 0) && dispatched.taskId !== null,
taskId: dispatched.taskId,
status: task?.status ?? null,
stdout: typeof result.stdout === "string" ? result.stdout : "",
stderr: typeof result.stderr === "string" ? result.stderr : "",
exitCode: typeof result.exitCode === "number" ? result.exitCode : null,
raw: task ?? dispatched.wait ?? dispatched.dispatch,
};
},
commandCwd: ".",
artifactRegistryCommand: (probe: ReturnType<typeof buildArtifactRegistryReadonlyProbe>) => ["frontend", "/api/dispatch", probe.providerId, "host.ssh", probe.action, dispatchedTaskShape(probe.remoteCommandShape)],
};
return {
transport: "frontend",
readonly: true,
result: action === "publish-backend-core"
? await runCiPublishBackendCoreDryRunPreflight(config, args.slice(1), transport)
: await runCiPublishUserServiceDryRunPreflight(config, args.slice(1), transport),
};
}
function dispatchedTaskShape(remoteCommandShape: string): string {
return remoteCommandShape.length > 0 ? remoteCommandShape : "host.ssh artifact-registry readonly probe";
}
async function remoteCodeQueue(session: FrontendSession, args: string[]): Promise<unknown> {
const action = args[1] ?? "task";
if (action !== "task" && action !== "summary" && action !== "show" && action !== "tasks" && action !== "overview" && action !== "unread" && action !== "terminal-unread" && action !== "queues" && action !== "queue-list" && action !== "output" && action !== "judge" && action !== "pr-preflight" && action !== "runtime-preflight") {
throw new Error("remote codex command must be: codex task <taskId>, codex tasks, codex unread, codex queues, codex output <taskId>, codex judge <taskId> --attempt N, or codex pr-preflight [--remote]");
}
const taskId = args[2];
if ((action === "task" || action === "summary" || action === "show" || action === "output" || action === "judge") && (taskId === undefined || taskId.length === 0)) {
throw new Error(`codex ${action} requires task id`);
}
const requiredTaskId = taskId ?? "";
const fetcher = (path: string, init?: { method?: string; body?: unknown }): Promise<FetchJsonResult> => {
const requestInit = init === undefined
? undefined
: {
method: init.method,
body: init.body === undefined ? undefined : JSON.stringify(init.body),
};
return frontendJson(session, path, requestInit, action === "judge" ? 130_000 : 24_000);
};
return {
transport: "frontend",
result: action === "tasks" || action === "overview"
? await codexTasksQueryAsync(args.slice(1), fetcher)
: action === "unread" || action === "terminal-unread"
? await codexUnreadTriageAsync(args.slice(2), fetcher)
: action === "queues" || action === "queue-list"
? await codexQueuesQueryAsync(args.slice(2), fetcher)
: action === "output"
? await codexOutputQueryAsync(requiredTaskId, args.slice(3), fetcher)
: action === "pr-preflight" || action === "runtime-preflight"
? await codexPrPreflightQueryAsync(args.slice(1), fetcher)
: action === "judge"
? await codexJudgeQueryAsync(requiredTaskId, args.slice(3), fetcher)
: await codexTaskQueryAsync(requiredTaskId, args.slice(3), fetcher),
};
}
async function remoteNetworkPerf(options: RemoteCliOptions, config: UniDeskConfig, args: string[]): Promise<unknown> {
if (options.host === null) throw new Error("network perf requires --main-server-ip when using remote frontend transport");
return {
transport: "frontend",
result: await runNetworkPerf(parseNetworkPerfOptions(config, args.slice(2), options.host)),
};
}
function frontendSshWebSocketUrl(session: FrontendSession): string {
const url = new URL("/ws/ssh", session.baseUrl);
url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
return url.toString();
}
function webSocketDataText(data: unknown): string {
if (typeof data === "string") return data;
if (data instanceof ArrayBuffer) return Buffer.from(data).toString("utf8");
if (ArrayBuffer.isView(data)) return Buffer.from(data.buffer, data.byteOffset, data.byteLength).toString("utf8");
return String(data);
}
function openFrontendSshWebSocket(session: FrontendSession): WebSocket {
const WebSocketWithHeaders = WebSocket as unknown as new (
url: string,
options?: { headers?: Record<string, string> },
) => WebSocket;
const headers = session.sshClientToken === null
? { cookie: session.cookie }
: { authorization: `Bearer ${session.sshClientToken}` };
return new WebSocketWithHeaders(frontendSshWebSocketUrl(session), { headers });
}
async function runRemoteSshWebSocket(
session: FrontendSession,
invocation: ReturnType<typeof parseSshInvocation>,
): Promise<number> {
const parsed = invocation.parsed;
const startedAtMs = Date.now();
const size = {
cols: Number(process.stdout.columns) > 0 ? Number(process.stdout.columns) : 100,
rows: Number(process.stdout.rows) > 0 ? Number(process.stdout.rows) : 30,
};
const openTimeoutMs = Math.max(15000, Number(process.env.UNIDESK_SSH_OPEN_TIMEOUT_MS || 60000));
const runtimeTimeoutMs = sshRuntimeTimeoutMs();
const payload = {
providerId: invocation.providerId,
command: wrapSshRemoteCommand(parsed.remoteCommand, parsed.requiredHelpers),
cwd: sshRoutePayloadCwd(invocation.route),
tty: parsed.remoteCommand === null,
stdinEotOnEnd: parsed.remoteCommand !== null,
openTimeoutMs,
runtimeTimeoutMs,
cols: size.cols,
rows: size.rows,
};
const ws = openFrontendSshWebSocket(session);
let exitCode = 255;
let settled = false;
let canSend = false;
let sessionReady = false;
const pending: string[] = [];
const pendingSessionMessages: string[] = [];
const send = (value: unknown): void => {
const text = JSON.stringify(value);
if (!canSend || ws.readyState !== WebSocket.OPEN) {
pending.push(text);
return;
}
ws.send(text);
};
const flush = (): void => {
while (pending.length > 0 && ws.readyState === WebSocket.OPEN) ws.send(pending.shift()!);
};
const sendInput = (value: Buffer | string): void => {
sendWhenSessionReady({ type: "ssh.input", data: Buffer.from(value).toString("base64"), encoding: "base64" });
};
const sendInputChunked = (value: string): void => {
const buffer = Buffer.from(value, "utf8");
for (let offset = 0; offset < buffer.length; offset += remoteSshInputChunkBytes) {
sendInput(buffer.subarray(offset, Math.min(buffer.length, offset + remoteSshInputChunkBytes)));
}
};
const sendWhenSessionReady = (value: unknown): void => {
const text = JSON.stringify(value);
if (!sessionReady || ws.readyState !== WebSocket.OPEN) {
pendingSessionMessages.push(text);
return;
}
ws.send(text);
};
const flushSessionMessages = (): void => {
if (!sessionReady || ws.readyState !== WebSocket.OPEN) return;
while (pendingSessionMessages.length > 0) ws.send(pendingSessionMessages.shift()!);
};
return await new Promise<number>((resolve) => {
const rawMode = parsed.remoteCommand === null && process.stdin.isTTY && typeof process.stdin.setRawMode === "function";
const stdoutForwarder = parsed.remoteCommand === null ? null : createSshStdoutForwarder({
invocation,
transport: "frontend-websocket",
});
let timedOut = false;
const openTimer = setTimeout(() => {
if (sessionReady || settled) return;
process.stderr.write("unidesk remote frontend ssh bridge timed out waiting for provider session\n");
exitCode = 255;
try {
ws.close();
} catch {
// Ignore close failures while resolving the timeout path.
}
}, openTimeoutMs);
const runtimeTimer = setTimeout(() => {
if (settled) return;
timedOut = true;
exitCode = 124;
process.stderr.write(formatSshRuntimeTimeoutHint(sshRuntimeTimeoutHint({
invocation,
transport: "frontend-websocket",
timeoutMs: runtimeTimeoutMs,
})));
try {
ws.close();
} catch {
// Ignore close failures while resolving the timeout path.
}
finish(124);
}, runtimeTimeoutMs);
const restore = (): void => {
clearTimeout(openTimer);
clearTimeout(runtimeTimer);
process.stdin.off("data", onStdinData);
process.stdin.off("end", onStdinEnd);
if (rawMode) process.stdin.setRawMode(false);
};
const finish = (code: number): void => {
if (settled) return;
settled = true;
restore();
const hint = timedOut ? null : sshFailureHint(invocation.providerId, parsed, code, "");
if (hint !== null) process.stderr.write(formatSshFailureHint(hint));
const timingHint = formatSshRuntimeTimingHint(sshRuntimeTimingHint({
invocation,
transport: "frontend-websocket",
exitCode: code,
startedAtMs,
}));
if (timingHint) process.stderr.write(timingHint);
resolve(code);
};
const onStdinData = (chunk: Buffer): void => {
sendInput(chunk);
};
const onStdinEnd = (): void => {
if (parsed.stdinSuffix) sendInput(parsed.stdinSuffix);
if (payload.stdinEotOnEnd === true) sendInput(Buffer.from([4]));
sendWhenSessionReady({ type: "ssh.eof" });
};
ws.addEventListener("open", () => {
canSend = true;
send({ type: "ssh.open", ...payload });
flush();
});
ws.addEventListener("message", (event) => {
const text = webSocketDataText(event.data);
let message: Record<string, unknown>;
try {
message = JSON.parse(text) as Record<string, unknown>;
} catch {
process.stderr.write(`${text}\n`);
return;
}
if (message.type === "ssh.dispatched") return;
if (message.type === "ssh.opened") {
sessionReady = true;
clearTimeout(openTimer);
flushSessionMessages();
return;
}
if (message.type === "ssh.data") {
const chunk = Buffer.from(String(message.data ?? ""), message.encoding === "base64" ? "base64" : "utf8");
if (message.stream === "stderr") process.stderr.write(chunk);
else if (stdoutForwarder === null) {
process.stdout.write(chunk);
} else {
const hint = stdoutForwarder.write(chunk);
if (hint !== null) process.stderr.write(hint);
}
return;
}
if (message.type === "ssh.error") {
process.stderr.write(`${String(message.message || "ssh bridge error")}\n`);
exitCode = 255;
ws.close();
return;
}
if (message.type === "ssh.exit") {
exitCode = Number.isInteger(message.exitCode) ? Number(message.exitCode) : 255;
ws.close();
}
});
ws.addEventListener("close", () => finish(exitCode));
ws.addEventListener("error", () => {
process.stderr.write("unidesk remote frontend ssh bridge websocket error\n");
finish(255);
});
if (rawMode) process.stdin.setRawMode(true);
process.stdin.resume();
if (parsed.stdinPrefix) sendInput(parsed.stdinPrefix);
process.stdin.on("data", onStdinData);
process.stdin.on("end", onStdinEnd);
});
}
async function runRemoteSshWebSocketCapture(
session: FrontendSession,
invocation: ReturnType<typeof parseSshInvocation>,
command: string[],
input?: string,
): Promise<SshCaptureResult> {
const remoteCommand = remoteCommandForRoute(invocation.route, command, { stdin: input !== undefined });
return await runRemoteSshWebSocketCaptureRemoteCommand(session, invocation, remoteCommand, input);
}
async function runRemoteSshWebSocketCaptureRemoteCommand(
session: FrontendSession,
invocation: ReturnType<typeof parseSshInvocation>,
remoteCommand: string,
input?: string,
): Promise<SshCaptureResult> {
const captureInvocation = {
...invocation,
parsed: { ...invocation.parsed, remoteCommand, requiresStdin: input !== undefined, invocationKind: "helper" as const },
};
const startedAtMs = Date.now();
const size = {
cols: Number(process.stdout.columns) > 0 ? Number(process.stdout.columns) : 100,
rows: Number(process.stdout.rows) > 0 ? Number(process.stdout.rows) : 30,
};
const runtimeTimeoutMs = sshRuntimeTimeoutMs();
const payload = {
providerId: invocation.providerId,
command: wrapSshRemoteCommand(remoteCommand),
cwd: sshRoutePayloadCwd(invocation.route),
tty: false,
stdinEotOnEnd: false,
openTimeoutMs: Math.max(15000, Number(process.env.UNIDESK_SSH_OPEN_TIMEOUT_MS || 60000)),
runtimeTimeoutMs,
cols: size.cols,
rows: size.rows,
};
const ws = openFrontendSshWebSocket(session);
let exitCode = 255;
let settled = false;
let canSend = false;
let sessionReady = false;
let stdout = "";
let stderr = "";
const pending: string[] = [];
const pendingSessionMessages: string[] = [];
const send = (value: unknown): void => {
const text = JSON.stringify(value);
if (!canSend || ws.readyState !== WebSocket.OPEN) {
pending.push(text);
return;
}
ws.send(text);
};
const sendWhenSessionReady = (value: unknown): void => {
const text = JSON.stringify(value);
if (!sessionReady || ws.readyState !== WebSocket.OPEN) {
pendingSessionMessages.push(text);
return;
}
ws.send(text);
};
const sendInput = (value: Buffer | string): void => {
sendWhenSessionReady({ type: "ssh.input", data: Buffer.from(value).toString("base64"), encoding: "base64" });
};
const sendInputChunked = (value: string): void => {
const buffer = Buffer.from(value, "utf8");
for (let offset = 0; offset < buffer.length; offset += remoteSshInputChunkBytes) {
sendInput(buffer.subarray(offset, Math.min(buffer.length, offset + remoteSshInputChunkBytes)));
}
};
const flush = (): void => {
while (pending.length > 0 && ws.readyState === WebSocket.OPEN) ws.send(pending.shift()!);
};
const flushSessionMessages = (): void => {
if (!sessionReady || ws.readyState !== WebSocket.OPEN) return;
while (pendingSessionMessages.length > 0) ws.send(pendingSessionMessages.shift()!);
};
return await new Promise<SshCaptureResult>((resolve) => {
let killTimer: ReturnType<typeof setTimeout> | null = null;
const finish = (code: number): void => {
if (settled) return;
settled = true;
clearTimeout(openTimer);
clearTimeout(runtimeTimer);
if (killTimer !== null) clearTimeout(killTimer);
const timingHint = formatSshRuntimeTimingHint(sshRuntimeTimingHint({
invocation: captureInvocation,
transport: "frontend-websocket",
exitCode: code,
startedAtMs,
}));
if (timingHint) stderr += timingHint;
resolve({ exitCode: code, stdout, stderr });
};
const openTimer = setTimeout(() => {
if (sessionReady || settled) return;
stderr += "unidesk remote frontend ssh bridge timed out waiting for provider session\n";
exitCode = 255;
try {
ws.close();
} catch {
// Ignore.
}
}, payload.openTimeoutMs);
const runtimeTimer = setTimeout(() => {
if (settled) return;
exitCode = 124;
stderr += formatSshRuntimeTimeoutHint(sshRuntimeTimeoutHint({
invocation: captureInvocation,
transport: "frontend-websocket",
timeoutMs: runtimeTimeoutMs,
}));
try {
ws.close();
} catch {
// Ignore.
}
killTimer = setTimeout(() => finish(124), 2000);
finish(124);
}, runtimeTimeoutMs);
ws.addEventListener("open", () => {
canSend = true;
send({ type: "ssh.open", ...payload });
flush();
});
ws.addEventListener("message", (event) => {
const text = webSocketDataText(event.data);
let message: Record<string, unknown>;
try {
message = JSON.parse(text) as Record<string, unknown>;
} catch {
stderr += `${text}\n`;
return;
}
if (message.type === "ssh.dispatched") return;
if (message.type === "ssh.opened") {
sessionReady = true;
clearTimeout(openTimer);
if (input !== undefined) sendInputChunked(input);
sendWhenSessionReady({ type: "ssh.eof" });
flushSessionMessages();
return;
}
if (message.type === "ssh.data") {
const chunk = Buffer.from(String(message.data ?? ""), message.encoding === "base64" ? "base64" : "utf8").toString("utf8");
if (message.stream === "stderr") stderr += chunk;
else stdout += chunk;
return;
}
if (message.type === "ssh.error") {
stderr += `${String(message.message || "ssh bridge error")}\n`;
exitCode = 255;
ws.close();
return;
}
if (message.type === "ssh.exit") {
exitCode = Number.isInteger(message.exitCode) ? Number(message.exitCode) : 255;
ws.close();
}
});
ws.addEventListener("close", () => finish(exitCode));
ws.addEventListener("error", () => {
stderr += "unidesk remote frontend ssh bridge websocket error\n";
finish(255);
});
});
}
async function runRemoteSshWebSocketStreamRemoteCommand(
session: FrontendSession,
invocation: ReturnType<typeof parseSshInvocation>,
remoteCommand: string,
handlers: SshRemoteCommandStreamHandlers,
input?: string,
): Promise<SshCaptureResult> {
const streamInvocation = {
...invocation,
parsed: { ...invocation.parsed, remoteCommand, requiresStdin: input !== undefined, invocationKind: "helper" as const },
};
const startedAtMs = Date.now();
const size = {
cols: Number(process.stdout.columns) > 0 ? Number(process.stdout.columns) : 100,
rows: Number(process.stdout.rows) > 0 ? Number(process.stdout.rows) : 30,
};
const runtimeTimeoutMs = sshRuntimeTimeoutMs();
const payload = {
providerId: invocation.providerId,
command: wrapSshRemoteCommand(remoteCommand),
cwd: sshRoutePayloadCwd(invocation.route),
tty: false,
stdinEotOnEnd: false,
openTimeoutMs: Math.max(15000, Number(process.env.UNIDESK_SSH_OPEN_TIMEOUT_MS || 60000)),
runtimeTimeoutMs,
cols: size.cols,
rows: size.rows,
};
const ws = openFrontendSshWebSocket(session);
let exitCode = 255;
let settled = false;
let canSend = false;
let sessionReady = false;
let stdout = "";
let stderr = "";
let streamError: unknown = null;
let streamWrites = Promise.resolve();
const pending: string[] = [];
const pendingSessionMessages: string[] = [];
const send = (value: unknown): void => {
const text = JSON.stringify(value);
if (!canSend || ws.readyState !== WebSocket.OPEN) {
pending.push(text);
return;
}
ws.send(text);
};
const sendWhenSessionReady = (value: unknown): void => {
const text = JSON.stringify(value);
if (!sessionReady || ws.readyState !== WebSocket.OPEN) {
pendingSessionMessages.push(text);
return;
}
ws.send(text);
};
const sendInput = (value: Buffer | string): void => {
sendWhenSessionReady({ type: "ssh.input", data: Buffer.from(value).toString("base64"), encoding: "base64" });
};
const sendInputChunked = (value: string): void => {
const buffer = Buffer.from(value, "utf8");
for (let offset = 0; offset < buffer.length; offset += remoteSshInputChunkBytes) {
sendInput(buffer.subarray(offset, Math.min(buffer.length, offset + remoteSshInputChunkBytes)));
}
};
const flush = (): void => {
while (pending.length > 0 && ws.readyState === WebSocket.OPEN) ws.send(pending.shift()!);
};
const flushSessionMessages = (): void => {
if (!sessionReady || ws.readyState !== WebSocket.OPEN) return;
while (pendingSessionMessages.length > 0) ws.send(pendingSessionMessages.shift()!);
};
const queueStreamWrite = (chunk: Buffer, stream: "stdout" | "stderr"): void => {
streamWrites = streamWrites.then(async () => {
if (stream === "stdout") await handlers.onStdout(chunk);
else if (handlers.onStderr !== undefined) await handlers.onStderr(chunk);
}).catch((error) => {
streamError = error;
stderr += `unidesk remote frontend ssh stream sink failed: ${error instanceof Error ? error.message : String(error)}\n`;
exitCode = 255;
try {
ws.close();
} catch {
// Ignore close failures after the local stream sink has failed.
}
});
};
return await new Promise<SshCaptureResult>((resolve) => {
let killTimer: ReturnType<typeof setTimeout> | null = null;
const finish = (code: number): void => {
if (settled) return;
settled = true;
clearTimeout(openTimer);
clearTimeout(runtimeTimer);
if (killTimer !== null) clearTimeout(killTimer);
void streamWrites.then(() => {
const finalCode = streamError === null ? code : 255;
const timingHint = formatSshRuntimeTimingHint(sshRuntimeTimingHint({
invocation: streamInvocation,
transport: "frontend-websocket",
exitCode: finalCode,
startedAtMs,
}));
if (timingHint) stderr += timingHint;
resolve({ exitCode: finalCode, stdout, stderr });
});
};
const openTimer = setTimeout(() => {
if (sessionReady || settled) return;
stderr += "unidesk remote frontend ssh bridge timed out waiting for provider session\n";
exitCode = 255;
try {
ws.close();
} catch {
// Ignore.
}
}, payload.openTimeoutMs);
const runtimeTimer = setTimeout(() => {
if (settled) return;
exitCode = 124;
stderr += formatSshRuntimeTimeoutHint(sshRuntimeTimeoutHint({
invocation: streamInvocation,
transport: "frontend-websocket",
timeoutMs: runtimeTimeoutMs,
}));
try {
ws.close();
} catch {
// Ignore.
}
killTimer = setTimeout(() => finish(124), 2000);
finish(124);
}, runtimeTimeoutMs);
ws.addEventListener("open", () => {
canSend = true;
send({ type: "ssh.open", ...payload });
flush();
});
ws.addEventListener("message", (event) => {
const text = webSocketDataText(event.data);
let message: Record<string, unknown>;
try {
message = JSON.parse(text) as Record<string, unknown>;
} catch {
stderr += `${text}\n`;
return;
}
if (message.type === "ssh.dispatched") return;
if (message.type === "ssh.opened") {
sessionReady = true;
clearTimeout(openTimer);
if (input !== undefined) sendInputChunked(input);
sendWhenSessionReady({ type: "ssh.eof" });
flushSessionMessages();
return;
}
if (message.type === "ssh.data") {
const chunk = Buffer.from(String(message.data ?? ""), message.encoding === "base64" ? "base64" : "utf8");
if (message.stream === "stderr") {
stderr += chunk.toString("utf8");
queueStreamWrite(chunk, "stderr");
} else {
queueStreamWrite(chunk, "stdout");
}
return;
}
if (message.type === "ssh.error") {
stderr += `${String(message.message || "ssh bridge error")}\n`;
exitCode = 255;
ws.close();
return;
}
if (message.type === "ssh.exit") {
exitCode = Number.isInteger(message.exitCode) ? Number(message.exitCode) : 255;
ws.close();
}
});
ws.addEventListener("close", () => finish(exitCode));
ws.addEventListener("error", () => {
stderr += "unidesk remote frontend ssh bridge websocket error\n";
finish(255);
});
});
}
export function remoteSshFrontendPlanForTest(target: string, args: string[]): Record<string, unknown> {
const invocation = parseSshInvocation(target, args);
return {
transport: "frontend-websocket",
providerId: invocation.providerId,
route: invocation.route,
remoteCommand: invocation.parsed.remoteCommand,
wrappedRemoteCommand: wrapSshRemoteCommand(invocation.parsed.remoteCommand, invocation.parsed.requiredHelpers),
requiresStdin: invocation.parsed.requiresStdin,
invocationKind: invocation.parsed.invocationKind,
payloadCwd: sshRoutePayloadCwd(invocation.route) ?? null,
};
}
async function runRemoteSshOverFrontend(session: FrontendSession, target: string | undefined, args: string[]): Promise<number> {
if (!target) throw new Error("remote ssh requires a route, for example: bun scripts/cli.ts --main-server-ip 74.48.78.17 ssh D601 hostname");
const normalizedArgs = normalizeSshOperationArgs(args);
process.stderr.write(sshRouteSeparatorCompatibilityHint(args, normalizedArgs));
const invocation = parseSshInvocation(target, normalizedArgs);
if (isSshFileTransferOperation(normalizedArgs)) {
const executor: SshRemoteCommandExecutor = {
runRemoteCommand: (remoteCommand, input) => runRemoteSshWebSocketCaptureRemoteCommand(session, invocation, remoteCommand, input),
streamRemoteCommand: (remoteCommand, handlers, input) => runRemoteSshWebSocketStreamRemoteCommand(session, invocation, remoteCommand, handlers, input),
};
return await runSshFileTransferOperation(invocation, normalizedArgs, executor, {
buildRouteCommand: remoteCommandForRoute,
buildWindowsPowerShellCommand: buildWindowsPowerShellInvocation,
});
}
if ((normalizedArgs[0] ?? "") === "apply-patch") {
const executor: ApplyPatchV2Executor = {
run: (command, input) => runRemoteSshWebSocketCapture(session, invocation, command, input),
};
return await runApplyPatchV2({
executor,
stdin: process.stdin,
stdout: process.stdout,
stderr: process.stderr,
argv: normalizedArgs.slice(1),
timing: {
providerId: invocation.providerId,
route: invocation.route.raw,
transport: "frontend-websocket",
},
});
}
return runRemoteSshWebSocket(session, invocation);
}
async function runRemoteCliOverFrontend(options: RemoteCliOptions, config: UniDeskConfig): Promise<number> {
if (options.host === null) throw new Error("runRemoteCli requires --main-server-ip or --server");
const args = options.args.length === 0 ? ["help"] : options.args;
const name = commandName(args);
try {
const [top, sub] = args;
const scopedSshToken = top === "ssh" ? sshClientTokenFromEnv() : null;
const session = scopedSshToken === null ? await loginFrontend(options.host, config) : scopedSshFrontendSession(options.host, config, scopedSshToken);
if (top === "help" || top === "--help" || top === "-h") {
emitRemoteJson(name, {
transport: "frontend",
baseUrl: session.baseUrl,
commands: ["debug health", "debug dispatch", "debug task", "ssh <providerId> <command>", "ssh <providerId> skills", "artifact-registry status|health", "ci publish-user-service --dry-run", "ci publish-backend-core --dry-run", "microservice list", "microservice status <id>", "microservice health <id>", "microservice diagnostics <id>", "microservice tunnel-self-test <id>", "microservice proxy <id> <path>", "decision upload <markdown-file>", "decision list", "decision show <id>", "codex task <taskId>", "codex tasks", "codex unread", "codex queues", "codex judge <taskId> --attempt N", "codex pr-preflight [--remote]", "network perf"],
});
return 0;
}
if (top === "debug" && sub === "health") {
emitRemoteJson(name, await remoteHealth(session, config));
return 0;
}
if (top === "debug" && sub === "dispatch") {
emitRemoteJson(name, await remoteDebugDispatch(session, config, args));
return 0;
}
if (top === "debug" && sub === "task") {
emitRemoteJson(name, await remoteDebugTask(session, args));
return 0;
}
if (top === "microservice") {
emitRemoteJson(name, await remoteMicroservice(session, args));
return 0;
}
if (top === "artifact-registry") {
emitRemoteJson(name, await remoteArtifactRegistry(session, args));
return 0;
}
if (top === "ci") {
emitRemoteJson(name, await remoteCi(session, config, args));
return 0;
}
if (top === "decision" || top === "decision-center") {
const fetcher = (path: string, init?: { method?: string; body?: unknown }): Promise<FetchJsonResult> => {
const requestInit = init === undefined
? undefined
: {
method: init.method,
body: init.body === undefined ? undefined : JSON.stringify(init.body),
};
return frontendJson(session, path, requestInit, 30_000);
};
const result = await runDecisionCenterCommandAsync(config, args.slice(1), fetcher);
const ok = typeof result !== "object" || result === null || !("ok" in result) || (result as { ok?: unknown }).ok !== false;
emitRemoteJson(name, result, ok);
return ok ? 0 : 1;
}
if (top === "codex") {
emitRemoteJson(name, await remoteCodeQueue(session, args));
return 0;
}
if (top === "network" && sub === "perf") {
emitRemoteJson(name, await remoteNetworkPerf(options, config, args));
return 0;
}
if (top === "ssh") {
return await runRemoteSshOverFrontend(session, sub, args.slice(2));
}
throw new Error(`remote frontend transport does not support command: ${name}`);
} catch (error) {
emitRemoteError(name, error);
return 1;
}
}
export async function runRemoteCli(options: RemoteCliOptions, config: UniDeskConfig): Promise<number> {
if (options.host === null) throw new Error("runRemoteCli requires --main-server-ip or --server");
const useSsh = options.transport === "ssh" || (options.transport === "auto" && options.identityFile !== null);
if (useSsh) return runRemoteCliOverSsh(options);
return runRemoteCliOverFrontend(options, config);
}