Worker: interactive terminal WebSocket bridge (PTY in workspace container)

- attachTerminalServer() upgrades /jobs/:id/terminal WS connections, verifying a
  short-lived job-scoped HMAC token (verifyTerminalToken) so the browser never
  holds the worker secret
- Bridges the socket to a bash PTY via dockerode exec (Tty) in a persistent
  per-job shell container (spoon-agent-term-<id>) mounting the workspace; binary
  frames = stdin, JSON text frames = resize; idle containers reaped after 30m
- New env: SPOON_AGENT_TERMINAL_IMAGE/SECRET/IDLE_MS (secret falls back to the
  shared worker internal token)
This commit is contained in:
Gabriel Brown
2026-06-24 08:16:39 -04:00
parent 1072cf10cd
commit c1263b2e69
10 changed files with 388 additions and 7 deletions
+11
View File
@@ -1462,6 +1462,17 @@ export const runWorkspaceCommand = async (jobId: string, command: string) => {
return { success: true };
};
// Non-throwing accessor for the interactive terminal: returns the active
// workspace's mount info, or null when the workspace is not active here.
export const getTerminalWorkspace = (jobId: string) => {
const workspace = activeWorkspaces.get(jobId);
if (!workspace) return null;
return {
workdir: workspace.workdir,
secrets: workspace.claim.secrets,
};
};
export const getWorkspaceAgentStatus = (jobId: string) => {
const workspace = resolveWorkspace(jobId);
return {