Worker: interactive terminal WebSocket bridge (PTY in workspace container)
- attachTerminalServer() upgrades /jobs/:id/terminal WS connections, verifying a short-lived job-scoped HMAC token (verifyTerminalToken) so the browser never holds the worker secret - Bridges the socket to a bash PTY via dockerode exec (Tty) in a persistent per-job shell container (spoon-agent-term-<id>) mounting the workspace; binary frames = stdin, JSON text frames = resize; idle containers reaped after 30m - New env: SPOON_AGENT_TERMINAL_IMAGE/SECRET/IDLE_MS (secret falls back to the shared worker internal token)
This commit is contained in:
@@ -4,6 +4,7 @@ import type { IncomingMessage, ServerResponse } from 'node:http';
|
||||
import type { Id } from '@spoon/backend/convex/_generated/dataModel.js';
|
||||
|
||||
import { env } from './env';
|
||||
import { attachTerminalServer } from './terminal';
|
||||
import {
|
||||
abortWorkspaceAgent,
|
||||
cleanupOrphanedWorkspaces,
|
||||
@@ -182,6 +183,7 @@ export const startWorkerServer = () => {
|
||||
}
|
||||
})();
|
||||
});
|
||||
attachTerminalServer(server);
|
||||
server.listen(env.httpPort, () => {
|
||||
console.log(
|
||||
`Spoon agent worker HTTP server listening on port ${env.httpPort}`,
|
||||
|
||||
Reference in New Issue
Block a user