Architecture adjustments #88
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When Claude (or other AI CLIs) authentication is revoked due to session limits (user auth elsewhere), the wrapper now detects this and: - Sends auth_revoked message to daemon - Emits auth_revoked event for listeners - Tracks auth state with throttled checking New files: - src/wrapper/auth-detection.ts - Auth error pattern detection - docs/auth-revocation-handling.md - Design documentation This is the first part of auth revocation handling. Still needed: - Re-authentication flow - Dashboard UI notification - Pre-auth warning about session limits 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Enable multi-user workspaces by storing credentials in user-specific
directories on the persistent /data volume.
Changes:
- Add UserDirectoryService for managing /data/users/{userId}/ structure
- Add WORKSPACE_OWNER_USER_ID to all provisioners (Fly.io, Railway, Docker)
- Update entrypoint.sh to set HOME to user-specific directory on /data
- All provider credentials (.claude/, .codex/, .config/gcloud/) now stored per-user
- Credentials persist across workspace restarts via Fly.io volume
Structure:
/data/
└── users/
└── {userId}/
├── .claude/
├── .codex/
└── .config/gcloud/
This enables future multi-user support where different users can have
their own CLI credentials on shared workspaces.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <[email protected]>
Fresh Fly.io volumes are root-owned. The entrypoint was dropping privileges before fixing permissions, causing mkdir failures when setting up per-user directories on /data. Fix: chown /data and /workspace BEFORE dropping to workspace user. This likely fixes "Proxy not finding machines to route requests" errors where the container was failing to start due to permission denied errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
…cture-adjustments
- Add complete CRUD routes for project groups in coordinators.ts: - GET /api/project-groups - List all groups with repositories - POST /api/project-groups - Create new group - PATCH /api/project-groups/:id - Update group - DELETE /api/project-groups/:id - Delete group - POST /api/project-groups/:id/repositories - Add repos to group - DELETE /api/project-groups/:id/repositories/:repoId - Remove repo - PUT /api/project-groups/reorder - Reorder groups - Update CoordinatorPanel.tsx with full CRUD functionality: - Display groups with their repositories - Create new groups with selected repos - Edit group name/description inline - Add repos to existing groups - Remove repos from groups - Delete groups - Fix App.tsx workspace settings to open full settings page - Add auth revocation detection to pty-wrapper.ts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Use 1GB instance for free tier (vs 2GB for paid) to reduce costs (~$7/mo vs ~$15/mo) - Add compute enforcement cron that checks free tier users every 15 mins and stops workspaces when 5-hour limit exceeded - Add UsageBanner component showing remaining compute hours with upgrade CTA - Add admin user system via ADMIN_USERS env var (comma-separated GitHub usernames) - Admin users bypass Stripe checkout and get enterprise features - Fix billing page hanging for free tier users without Stripe customer ID - Add graceful workspace resizing that doesn't disrupt running agents: - Stopped workspaces: resize immediately - Running workspaces: save config for next restart (skip_launch: true) - Add workspace resize call after plan upgrade (via Stripe webhook or admin upgrade) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR includes multiple architectural improvements spanning auth revocation handling, per-user credential storage, project groups management, and free tier cost optimizations.
Includes #87
1. Auth Revocation Detection for Workspace Agents
New Files:
src/wrapper/auth-detection.ts- Pattern detection for auth errorsdocs/auth-revocation-handling.md- Design documentationModified:
src/wrapper/pty-wrapper.ts- Integration with pty wrappersrc/wrapper/tmux-wrapper.ts- Integration with tmux wrapperWhat it does:
When CLI tools (Claude, Codex, etc.) lose authentication due to session limits:
auth_revokedmessage to daemonauth_revokedevent for listeners2. Per-User Credential Storage on Workspace Volumes
New Files:
src/daemon/user-directory.ts- UserDirectoryService for managing per-user directoriessrc/daemon/user-directory.test.ts- TestsModified:
deploy/workspace/entrypoint.sh- Sets HOME to user-specific directory, fixes volume permissionssrc/cloud/provisioner/index.ts- AddsWORKSPACE_OWNER_USER_IDto all provisionersStructure:
Why: Enables multi-user workspaces where different users have their own CLI credentials on shared workspaces. Credentials persist across restarts via Fly.io volumes.
Fix: Also fixes Fly.io permission issue - fresh volumes are root-owned, entrypoint now
chowns before dropping privileges.3. Project Groups CRUD API and Frontend
New Files:
src/cloud/api/coordinators.ts- Complete CRUD routesAPI Endpoints:
/api/project-groups/api/project-groups/api/project-groups/:id/api/project-groups/:id/api/project-groups/:id/repositories/api/project-groups/:id/repositories/:repoId/api/project-groups/reorderModified:
src/dashboard/react-components/CoordinatorPanel.tsx- Full CRUD UIsrc/dashboard/react-components/App.tsx- Workspace settings link4. Free Tier Cost Optimizations
New Files:
src/cloud/services/compute-enforcement.ts- Cron service for enforcing limitssrc/dashboard/react-components/UsageBanner.tsx- Usage display componentModified:
src/cloud/provisioner/index.ts- Plan-based instance sizing, graceful resizesrc/cloud/api/billing.ts- Admin bypass, workspace resizing on upgradesrc/cloud/config.ts- Admin users configsrc/cloud/db/drizzle.ts-findByPlan()methodsrc/cloud/server.ts- Compute enforcement service startupsrc/cloud/services/index.ts- Export compute enforcementFeatures:
$7/mo), Paid: 2 CPU/2GB ($15/mo)ADMIN_USERSenv var bypasses Stripeskip_launch: true, applies on next restartTest Plan