Skip to content

fix: remote browser port proxy and UX improvements#607

Open
simple-agent-manager[bot] wants to merge 5 commits intomainfrom
fix/remote-browser-new-tab
Open

fix: remote browser port proxy and UX improvements#607
simple-agent-manager[bot] wants to merge 5 commits intomainfrom
fix/remote-browser-new-tab

Conversation

@simple-agent-manager
Copy link
Copy Markdown
Contributor

@simple-agent-manager simple-agent-manager bot commented Apr 4, 2026
edited
Loading

Summary

  • Port proxy 502 fix: Split JWT across two headers (X-SAM-Port-Token-A/B) to avoid Cloudflare edge 502 on same-zone subrequests with large header values
  • VM agent split token reassembly: Updated workspace_routing.go to reassemble split JWT headers, with fallback to single header, Bearer, and query param
  • Remote browser opens in new tab: UI button opens Neko browser URL in a new tab with a "Back to Project Chat" link
  • Auto-login: Neko URL includes ?usr=user&pwd={random_password} using the actual per-container random password (not config defaults). Neko's connect.vue:mounted() auto-connects when both params are present.
  • Port conflict fix: Changed default Neko port from 8080 to 6080 (NEKO_WEBRTC_PORT env var) to avoid shadowing user dev servers

Verification Evidence (Staging)

Tested on staging with fresh node (rule 27: delete all nodes → deploy → test fresh):

Port isolation

  • Port 6080 (Neko): HTTP 200, 1424 bytes — Neko UI served
  • Port 3000 (user's server): Returns <h1>Hello from Elysia</h1>
  • Port 8080: HTTP 502 — free for user dev servers

Auto-login

  • No login form, no password input, no connect button visible (auto-login triggered)
  • URL params stripped after consumption (Neko's auto-login code path confirmed)
  • WebSocket connected: received member/list, screen/resolution (1920x1080@30), system/init
  • WebRTC negotiation: ICE candidates exchanged, audio+video tracks received

Workspace isolation

  • Container named neko-{workspaceId} — each workspace gets its own container
  • sidecars map in manager.go keyed by workspaceID
  • Docker network, URL, and auth all workspace-scoped

Test plan

  • Port proxy returns 200 for Neko browser (port 6080)
  • Port proxy returns user's dev server content (port 3000)
  • Port 8080 is free (not intercepted by Neko)
  • Auto-login: no login form shown, WebSocket+WebRTC negotiated
  • Per-container random password used (not config default)
  • URL params stripped after auto-login consumption
  • Workspace isolation: container name includes workspace ID

🤖 Generated with Claude Code

raphaeltm and others added 5 commits April 4, 2026 12:26
@raphaeltm @claude
fix: remote browser opens in new tab with project chat button
e8a0dbc 
- BrowserSidecar component opens Neko URL in a new tab instead of iframe
- Add "Remote Browser" button to SessionHeader in project chat view
- useBrowserSidecar hook supports session-mode (projectId + sessionId)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@raphaeltm @claude
fix: VM agent port proxy routing and split token auth
7e8f4df 
- GetNekoTarget() in browser manager resolves Neko container's bridge IP
  so port proxy routes to the Neko sidecar instead of the DevContainer
- Port proxy strips split auth headers (X-SAM-Port-Token-A/B) before
  forwarding to container apps to prevent credential leakage
- Token resolution supports split JWT headers from API Worker, with
  fallback to single header, Bearer, and query parameter

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@raphaeltm @claude
fix: split port proxy JWT across two headers to avoid CF edge 502
8bd8db8 
Cloudflare's edge proxy returns 502 for same-zone subrequests when a
single header value contains a full JWT token. Splitting the JWT across
X-SAM-Port-Token-A and X-SAM-Port-Token-B headers bypasses this.

The VM agent reassembles the split token before JWT validation. The
Worker also strips the client Authorization header to prevent it from
being forwarded to the origin.

Verified end-to-end: Neko browser sidecar accessible via port proxy
subdomain (ws-{id}--8080.sammy.party) on fresh staging node.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@raphaeltm @claude
fix: auto-login to Neko browser via URL query params
84835a8 
Append ?usr=user&pwd={password} to the Neko URL so users connect
automatically without needing to know the credentials. Neko supports
these query parameters for prefilling the login form.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@raphaeltm @claude
fix: use per-container random password for Neko auto-login, change de…
6374648 
…fault port to 6080

Two fixes:
1. Auto-login URL was using config default password ("neko") instead of the
   actual per-container random password stored in SidecarState. Now uses
   state.Password which is the 64-char hex string generated at container start.

2. Changed default Neko port from 8080 to 6080 to avoid shadowing user dev
   servers (many frameworks default to 8080). Port is configurable via
   NEKO_WEBRTC_PORT env var.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 4, 2026

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raphaeltm