gitpod-io
diff --git a/‎memory-bank/activeContext.md‎
Lines changed: 3 additions & 0 deletions b/‎memory-bank/activeContext.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎memory-bank/components/proxy.md‎
Lines changed: 123 additions & 0 deletions b/‎memory-bank/components/proxy.md‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎memory-bank/components/server.md‎
Lines changed: 136 additions & 0 deletions b/‎memory-bank/components/server.md‎
Lines changed: 136 additions & 0 deletions
@@ -25,6 +25,9 @@ Key areas of focus include:
   - ide-service: Manages IDE configurations and resolves workspace IDE requirements
   - registry-facade: Modifies container images by adding layers for workspaces
   - image-builder-mk3: Builds custom workspace images from user-defined Dockerfiles
+  - server: Main backend service handling API requests and user management
+  - proxy: Main entry point for all HTTP and WebSocket traffic
+  - ws-proxy: Handles routing and proxying of traffic to workspaces
 
 As work progresses, this section will continue to be updated to reflect:
 - Additional component documentation
 
@@ -0,0 +1,123 @@
+# Proxy Component
+
+## Overview
+
+The Proxy is a critical component in Gitpod that serves as the main entry point for all HTTP and WebSocket traffic to the platform. It routes requests to the appropriate backend services, handles TLS termination, enforces security policies, and provides various routing and transformation capabilities for the Gitpod platform.
+
+## Purpose
+
+The primary purposes of the Proxy component are:
+- Act as the main ingress point for all Gitpod traffic
+- Route requests to appropriate backend services
+- Terminate TLS connections
+- Enforce security headers and policies
+- Handle workspace-specific routing
+- Provide WebSocket support
+- Implement cross-origin resource sharing (CORS) policies
+- Support custom domain routing
+- Provide health checks and metrics endpoints
+
+## Architecture
+
+The Proxy is built on Caddy, a powerful, extensible web server with automatic HTTPS capabilities. The Gitpod proxy extends Caddy with custom plugins to handle specific Gitpod requirements:
+
+1. **Core Proxy**: Handles general routing and TLS termination
+2. **Workspace Handler**: Routes workspace-specific requests
+3. **Custom Plugins**: Extend Caddy with Gitpod-specific functionality
+4. **Security Layer**: Enforces security headers and policies
+5. **Metrics Endpoint**: Provides monitoring capabilities
+
+## Key Files and Structure
+
+- `Dockerfile`: Builds the proxy container with Caddy and custom plugins
+- `conf/Caddyfile`: Main configuration file for the proxy
+- `conf/workspace-handler.full`: Configuration for handling workspace requests
+- `conf/workspace-handler.meta`: Configuration for handling workspace metadata
+- `plugins/`: Custom Caddy plugins for Gitpod-specific functionality
+
+## Custom Plugins
+
+The proxy includes several custom Caddy plugins to extend its functionality:
+
+1. **corsorigin**: Handles Cross-Origin Resource Sharing (CORS) policies
+2. **secwebsocketkey**: Validates WebSocket connections
+3. **workspacedownload**: Manages workspace content downloads
+4. **headlesslogdownload**: Handles headless log downloads
+5. **configcat**: Integrates with ConfigCat feature flags
+6. **analytics**: Provides analytics functionality
+7. **logif**: Conditional logging
+8. **jsonselect**: JSON selection for logs
+9. **sshtunnel**: SSH tunneling support
+10. **frontend_dev**: Development mode for frontend
+
+## Configuration
+
+The proxy is configured via the Caddyfile, which includes:
+
+### Main Domain Configuration
+- TLS settings
+- Security headers
+- Routing rules for the main Gitpod domain
+- API endpoints
+- Backend service routing
+
+### Workspace Domain Configuration
+- Routing for workspace-specific domains
+- Port forwarding
+- WebSocket handling
+- IDE-specific routing
+
+### Security Configuration
+- HTTP to HTTPS redirection
+- Security headers
+- CORS policies
+- WebSocket validation
+
+## Routing Logic
+
+The proxy implements sophisticated routing logic:
+
+1. **Main Domain Routing**: Routes requests to the main Gitpod domain to appropriate backend services
+2. **Workspace Routing**: Routes workspace requests based on subdomain patterns
+3. **API Routing**: Routes API requests to the server component
+4. **Public API Routing**: Routes public API requests to the public-api-server
+5. **Static Content**: Routes static content requests to appropriate services
+6. **WebSocket Routing**: Handles WebSocket connections for real-time communication
+
+## Workspace Routing
+
+Workspace routing is particularly complex, handling several patterns:
+
+1. **Standard Workspace**: `<workspace-id>.ws.<region>.<domain>`
+2. **Port Forwarding**: `<port>-<workspace-id>.ws.<region>.<domain>`
+3. **Debug Workspace**: `debug-<workspace-id>.ws.<region>.<domain>`
+4. **Foreign Content**: Special routes for VS Code webviews and webworkers
+
+## Security Considerations
+
+The proxy implements several security measures:
+
+- TLS termination with secure configuration
+- HTTP Strict Transport Security (HSTS)
+- Content Security Policy (CSP)
+- Cross-Origin Resource Sharing (CORS) policies
+- XSS protection
+- Referrer policy
+- WebSocket validation
+
+## Common Usage Patterns
+
+The Proxy is typically used to:
+1. Route client requests to appropriate backend services
+2. Provide secure access to workspaces
+3. Handle WebSocket connections for real-time communication
+4. Enforce security policies
+5. Provide health checks and metrics
+
+## Related Components
+
+- **Server**: Receives API requests routed through the proxy
+- **Dashboard**: Serves the web UI through the proxy
+- **WS Proxy**: Handles workspace-specific traffic
+- **IDE Proxy**: Manages IDE-specific routing
+- **Public API Server**: Provides public API endpoints
@@ -0,0 +1,136 @@
+# Server Component
+
+## Overview
+
+The Server is a central component in Gitpod that serves as the main backend service, handling API requests, authentication, user management, workspace operations, and integration with various source code management systems. It acts as the core orchestrator for the Gitpod platform, connecting various components and providing a unified API for clients.
+
+## Purpose
+
+The primary purposes of the Server component are:
+- Provide API endpoints for client applications (dashboard, IDE, CLI)
+- Handle user authentication and session management
+- Manage user accounts and preferences
+- Coordinate workspace creation and management
+- Integrate with source code management systems (GitHub, GitLab, Bitbucket)
+- Process webhooks for prebuilds and other automated operations
+- Manage billing and subscription information
+- Provide real-time communication via WebSockets
+- Coordinate with other Gitpod components
+
+## Architecture
+
+The Server operates as an Express.js application with several key components:
+
+1. **API Server**: Provides HTTP and WebSocket endpoints for client communication
+2. **Authentication System**: Handles user authentication and session management
+3. **Database Interface**: Interacts with the database for persistent storage
+4. **WebSocket Manager**: Manages real-time communication with clients
+5. **SCM Integrations**: Connects with GitHub, GitLab, Bitbucket, and other platforms
+6. **Workspace Coordinator**: Manages workspace lifecycle in coordination with ws-manager
+7. **Monitoring Endpoints**: Provides health checks and metrics
+
+The server is designed as a modular application using dependency injection (Inversify) to manage components and their dependencies.
+
+## Key Files and Structure
+
+- `main.ts`: Entry point that initializes the container and starts the server
+- `init.ts`: Handles server initialization and setup
+- `server.ts`: Core server implementation
+- `src/api/`: API endpoints and handlers
+- `src/auth/`: Authentication and authorization
+- `src/workspace/`: Workspace management
+- `src/user/`: User management
+- `src/prebuilds/`: Prebuild functionality
+- `src/billing/`: Billing and subscription management
+- `src/github/`, `src/gitlab/`, `src/bitbucket/`: SCM integrations
+
+## Dependencies
+
+### Internal Dependencies
+- `components/gitpod-db`: Database access layer
+- `components/gitpod-protocol`: Shared protocol definitions
+- `components/content-service-api`: Content service API definitions
+- `components/ws-manager-api`: Workspace manager API definitions
+- `components/image-builder-api`: Image builder API definitions
+- Various other Gitpod component APIs
+
+### External Dependencies
+- Express.js for HTTP server
+- WebSocket for real-time communication
+- Inversify for dependency injection
+- TypeORM for database access
+- Redis for caching and pub/sub
+- Prometheus for metrics
+- Various SCM platform SDKs
+
+## Configuration
+
+The Server is configured via environment variables and configuration files, including:
+
+- Server address and port
+- Database connection details
+- Authentication providers
+- SCM integration settings
+- Feature flags
+- Monitoring and logging settings
+
+## API Services
+
+The Server exposes multiple API endpoints:
+
+1. **User API**: User management, authentication, and preferences
+2. **Workspace API**: Workspace creation, management, and access
+3. **SCM Integration APIs**: GitHub, GitLab, Bitbucket webhooks and OAuth
+4. **Billing API**: Subscription and payment management
+5. **WebSocket API**: Real-time communication with clients
+6. **Health and Metrics API**: System health and monitoring
+
+## Authentication and Authorization
+
+The Server supports multiple authentication methods:
+
+1. **Session-based Authentication**: For web clients
+2. **Bearer Token Authentication**: For API access
+3. **OAuth Integration**: With GitHub, GitLab, Bitbucket, etc.
+4. **Personal Access Tokens**: For programmatic access
+
+Authorization is handled through a combination of user roles, permissions, and access controls.
+
+## Integration Points
+
+The Server integrates with:
+1. **Database**: For persistent storage
+2. **Redis**: For caching and pub/sub messaging
+3. **Workspace Manager**: For workspace lifecycle management
+4. **Image Builder**: For custom workspace images
+5. **Content Service**: For workspace content management
+6. **SCM Platforms**: For repository access and webhooks
+7. **Payment Providers**: For billing and subscriptions
+
+## Security Considerations
+
+- Implements CSRF protection for WebSocket connections
+- Handles authentication and session management securely
+- Validates and sanitizes user input
+- Implements proper error handling and logging
+- Uses HTTPS for secure communication
+- Manages sensitive data securely
+
+## Common Usage Patterns
+
+The Server is typically used to:
+1. Handle API requests from the dashboard and IDE
+2. Process authentication and session management
+3. Coordinate workspace creation and management
+4. Handle webhooks from SCM platforms
+5. Manage user accounts and preferences
+6. Process billing and subscription information
+
+## Related Components
+
+- **Dashboard**: Frontend interface that communicates with the server
+- **Workspace Manager**: Manages workspace instances
+- **Content Service**: Manages workspace content
+- **Image Builder**: Builds custom workspace images
+- **Database**: Stores persistent data
+- **IDE Service**: Provides IDE configuration