This document outlines the planned development phases for Simple Agent Manager (SAM).
Status: Complete
Core functionality for workspace management with GitHub OAuth:
- Create workspace from git repository
- GitHub OAuth authentication (BetterAuth)
- GitHub App for private repository access
- View workspace list with status
- Manually stop/restart workspaces
- Automatic idle shutdown (30 min)
- Web UI for workspace management
- D1 database for persistence
- Encrypted credential storage (user Hetzner tokens)
Status: Complete (core features)
Web-based terminal access to running workspaces:
- VM Agent (Go) with WebSocket terminal
- JWT-based terminal authentication
- Idle detection and heartbeat system
- xterm.js terminal UI
- Secure bootstrap token credential delivery
- Workspace ownership validation
- WebSocket reconnection handling
- Automated deployment via Pulumi + GitHub Actions (spec 005)
- Multi-Agent ACP protocol support (spec 007)
- UI component governance system (spec 009)
- File explorer integration
- Terminal session persistence
Target: Q1 2026
Improvements to user experience and reliability:
- Workspace logs and debugging
- Better error UX for build failures — categorize errors (transient vs config vs provider), show actionable guidance, persist boot logs past
errorstate, expandable build log detail with copy-to-clipboard. Context: third-party devcontainer features can fail with transient 503s (e.g., GHCR rate limiting) leaving users with a generic red error box and no next step. - Retry failed workspace builds — extend
POST /api/workspaces/:id/restartto accepterrorstatus (currently onlystopped), clean up partial resources (orphaned VMs, stale DNS) before retry, add "Retry" button to WorkspaceCard for error state. Optionally track retry count and cap at a configurable max. - Custom devcontainer support
- Multiple repository sources (GitLab, Bitbucket)
- Workspace templates
- SSH access to workspaces
- Persistent storage (R2)
- Cost estimation display
- Configurable subdomains (api/app/workspace prefixes)
- Caddy on VMs for TLS cert provisioning (Let's Encrypt): move workspace access to per-workspace wildcards (e.g.,
*.{id}.ws.${BASE_DOMAIN}) served directly by the VM (Caddy + agent) instead of the Worker proxy. This also enables multi-level subdomain BASE_DOMAINs (e.g.,sam.company.com) that Cloudflare free Universal SSL doesn't cover.
Target: Q2 2026
Support for teams and organizations:
- Team management
- Per-user API tokens
- Usage quotas and limits
- Billing integration
- Audit logging
Target: Q3 2026
Features for enterprise deployments:
- Private networking (VPC)
- Custom domain support
- SSO integration (SAML, OIDC)
- Compliance features (SOC 2)
- Multi-region support
- Custom VM images
- API rate limiting
Target: Future
- VM callback token exchange flow (one-time code → JWT + refresh token)
- Token rotation for long-lived workspaces
- Workspace audit logging
- Least-privilege Cloudflare credentials: split deployment vs runtime tokens. Runtime should use a zone-scoped DNS-only token (just enough to create/delete
vm-{id}backend DNS records); keep broader infra permissions in CI/Pulumi only.
Features under consideration for later phases:
- Alternative cloud providers (AWS, GCP, Azure)
- VS Code Remote integration
- Collaborative editing
- Workspace snapshots and restore
- GPU instances for AI workloads
- Kubernetes-based workspaces
Have ideas for the roadmap? Open an issue with the "enhancement" label.