claude login and codex tightening

Author: khaliqgant

.dockerignore

@@ -0,0 +1,40 @@
+# Dependencies - must be rebuilt inside container for correct platform
+node_modules
+src/dashboard/node_modules
+
+# Build outputs
+dist
+src/dashboard/out
+src/dashboard/.next
+
+# Development files
+.git
+.github
+.vscode
+*.log
+.env*
+.DS_Store
+
+# Test files
+coverage
+*.test.ts
+*.spec.ts
+__tests__
+
+# Docker files (avoid recursive copy)
+Dockerfile*
+docker-compose*
+
+# Documentation
+*.md
+!README.md
+docs
+!docs/agent-relay-snippet.md
+!docs/agent-relay-protocol.md
+!docs/agent-policy-snippet.md
+
+# Misc
+.beads
+.claude
+.openskills
+tmp

.github/workflows/docker.yml

@@ -37,6 +37,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -56,7 +59,7 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ env.ORG }}/relay-workspace-base:latest
           cache-from: type=gha,scope=base
           cache-to: type=gha,mode=max,scope=base
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
 
   # Main images - build on every push
   build-and-push:
@@ -78,6 +81,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -109,7 +115,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.image }}
           cache-to: type=gha,mode=max,scope=${{ matrix.image }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
 
   # Update running workspaces with new image (graceful - won't disrupt active agents)
   update-workspaces:

.trajectories/completed/2026-01/traj_6mieijqyvaag.json

@@ -0,0 +1,77 @@
+{
+  "id": "traj_6mieijqyvaag",
+  "version": 1,
+  "task": {
+    "title": "Fix xterm interactive terminal for provider auth setup",
+    "source": {
+      "system": "plain",
+      "id": "xterm-display"
+    }
+  },
+  "status": "completed",
+  "startedAt": "2026-01-07T08:27:00.428Z",
+  "agents": [
+    {
+      "name": "khaliqgant",
+      "role": "lead",
+      "joinedAt": "2026-01-07T08:27:00.429Z"
+    }
+  ],
+  "chapters": [
+    {
+      "id": "chap_lcr0k4brra35",
+      "title": "Work",
+      "agentName": "default",
+      "startedAt": "2026-01-07T08:27:29.790Z",
+      "events": [
+        {
+          "ts": 1767774449791,
+          "type": "decision",
+          "content": "Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path: Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path",
+          "raw": {
+            "question": "Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path",
+            "chosen": "Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path",
+            "alternatives": [],
+            "reasoning": "Dashboard server uses path-based WebSocket routing - root path triggers socket.destroy()"
+          },
+          "significance": "high"
+        },
+        {
+          "ts": 1767774451034,
+          "type": "decision",
+          "content": "API proxy uses /api/spawn and /api/spawned endpoints: API proxy uses /api/spawn and /api/spawned endpoints",
+          "raw": {
+            "question": "API proxy uses /api/spawn and /api/spawned endpoints",
+            "chosen": "API proxy uses /api/spawn and /api/spawned endpoints",
+            "alternatives": [],
+            "reasoning": "Dashboard server exposes these endpoints, not /workspaces/:id/agents"
+          },
+          "significance": "high"
+        },
+        {
+          "ts": 1767774452834,
+          "type": "decision",
+          "content": "Empty task enables interactive terminal mode: Empty task enables interactive terminal mode",
+          "raw": {
+            "question": "Empty task enables interactive terminal mode",
+            "chosen": "Empty task enables interactive terminal mode",
+            "alternatives": [],
+            "reasoning": "Spawner was prepending relay reminder even with empty task, causing auto-input. Fixed to only send messages when actual task provided"
+          },
+          "significance": "high"
+        }
+      ],
+      "endedAt": "2026-01-07T08:28:17.323Z"
+    }
+  ],
+  "commits": [],
+  "filesChanged": [],
+  "projectId": "/Users/khaliqgant/Projects/agent-workforce/relay",
+  "tags": [],
+  "completedAt": "2026-01-07T08:28:17.323Z",
+  "retrospective": {
+    "summary": "Fixed xterm interactive terminal for provider auth: WebSocket proxy path, API endpoint mapping, spawner interactive mode, and updated development docs",
+    "approach": "Standard approach",
+    "confidence": 0.85
+  }
+}

.trajectories/completed/2026-01/traj_6mieijqyvaag.md

@@ -0,0 +1,42 @@
+# Trajectory: Fix xterm interactive terminal for provider auth setup
+
+> **Status:** ✅ Completed
+> **Task:** xterm-display
+> **Confidence:** 85%
+> **Started:** January 7, 2026 at 09:27 AM
+> **Completed:** January 7, 2026 at 09:28 AM
+
+---
+
+## Summary
+
+Fixed xterm interactive terminal for provider auth: WebSocket proxy path, API endpoint mapping, spawner interactive mode, and updated development docs
+
+**Approach:** Standard approach
+
+---
+
+## Key Decisions
+
+### Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path
+- **Chose:** Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path
+- **Reasoning:** Dashboard server uses path-based WebSocket routing - root path triggers socket.destroy()
+
+### API proxy uses /api/spawn and /api/spawned endpoints
+- **Chose:** API proxy uses /api/spawn and /api/spawned endpoints
+- **Reasoning:** Dashboard server exposes these endpoints, not /workspaces/:id/agents
+
+### Empty task enables interactive terminal mode
+- **Chose:** Empty task enables interactive terminal mode
+- **Reasoning:** Spawner was prepending relay reminder even with empty task, causing auto-input. Fixed to only send messages when actual task provided
+
+---
+
+## Chapters
+
+### 1. Work
+*Agent: default*
+
+- Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path: Fixed WebSocket proxy path - cloud server must connect to /ws/logs/:agentName not root path
+- API proxy uses /api/spawn and /api/spawned endpoints: API proxy uses /api/spawn and /api/spawned endpoints
+- Empty task enables interactive terminal mode: Empty task enables interactive terminal mode

.trajectories/index.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "lastUpdated": "2026-01-07T06:30:00.000Z",
+  "lastUpdated": "2026-01-07T08:28:17.348Z",
   "trajectories": {
     "traj_ozd98si6a7ns": {
       "title": "Fix thinking indicator showing on all messages",
@@ -386,6 +386,13 @@
       "startedAt": "2026-01-07T06:00:00.000Z",
       "completedAt": "2026-01-07T06:30:00.000Z",
       "path": "/home/user/relay/.trajectories/completed/2026-01/traj_multi_server_arch.md"
+    },
+    "traj_6mieijqyvaag": {
+      "title": "Fix xterm interactive terminal for provider auth setup",
+      "status": "completed",
+      "startedAt": "2026-01-07T08:27:00.428Z",
+      "completedAt": "2026-01-07T08:28:17.323Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_6mieijqyvaag.json"
     }
   }
 }

deploy/workspace/Dockerfile

@@ -42,8 +42,8 @@ COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/package*.json ./
 
-# Copy docs folder (contains relay snippets for agent spawning)
-COPY docs ./docs
+# Copy relay snippets for agent spawning (only what's needed)
+COPY docs/agent-relay-snippet.md docs/agent-relay-protocol.md docs/agent-policy-snippet.md ./docs/
 
 COPY deploy/workspace/entrypoint.sh /entrypoint.sh
 COPY deploy/workspace/git-credential-relay /usr/local/bin/git-credential-relay
@@ -66,7 +66,8 @@ ENV AGENT_RELAY_DASHBOARD_PORT=3888
 ENV PATH="/home/workspace/.local/bin:$PATH"
 
 # Expose ports
-EXPOSE 3888 3889
+# 3888: Dashboard/API, 3889: Daemon, 1455: Codex OAuth callback, 2222: SSH (for tunneling)
+EXPOSE 3888 3889 1455 2222
 
 # Volume for persistent data
 VOLUME ["/data", "/workspace"]

deploy/workspace/Dockerfile.base

@@ -18,7 +18,10 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     procps \
-    && rm -rf /var/lib/apt/lists/*
+    openssh-server \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /run/sshd \
+    && ssh-keygen -A
 
 # Install GitHub CLI (gh)
 RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \

deploy/workspace/entrypoint.sh

@@ -13,6 +13,36 @@ if [[ "$(id -u)" == "0" ]]; then
   log "Fixing volume permissions..."
   chown -R workspace:workspace /data /workspace 2>/dev/null || true
 
+  # ============================================================================
+  # SSH Server Setup (for CLI tunneling - Codex OAuth callback forwarding)
+  # When ENABLE_SSH=true, start SSH server on port 2222 for secure tunneling
+  # ============================================================================
+  if [[ "${ENABLE_SSH:-false}" == "true" ]]; then
+    log "Starting SSH server on port 2222..."
+
+    # Set SSH password for workspace user
+    SSH_PASS="${SSH_PASSWORD:-devpassword}"
+    echo "workspace:${SSH_PASS}" | chpasswd
+
+    # Configure SSH server for tunneling
+    # - Allow password auth (for CLI simplicity)
+    # - Listen on port 2222 (non-privileged)
+    # - Allow TCP forwarding (for port tunneling)
+    cat > /etc/ssh/sshd_config.d/workspace.conf <<SSHEOF
+Port 2222
+PasswordAuthentication yes
+PermitRootLogin no
+AllowUsers workspace
+AllowTcpForwarding yes
+GatewayPorts no
+X11Forwarding no
+SSHEOF
+
+    # Start SSH server in background
+    /usr/sbin/sshd -e
+    log "SSH server started (port 2222, user: workspace)"
+  fi
+
   # ============================================================================
   # Persist workspace environment for SSH sessions (must be done as root)
   # SSH sessions don't inherit the container's runtime environment, so we write