Skip to content

Claude/eager gagarin 9eedc4#4

Merged
CodeLifterIO merged 2 commits into
mainfrom
claude/eager-gagarin-9eedc4
May 17, 2026
Merged

Claude/eager gagarin 9eedc4#4
CodeLifterIO merged 2 commits into
mainfrom
claude/eager-gagarin-9eedc4

Conversation

@CodeLifterIO

Copy link
Copy Markdown
Contributor

No description provided.

CodeLifterIO and others added 2 commits May 16, 2026 16:07
Adds forwarded-headers middleware so the app sees the original https
scheme behind the tunnel, and gates HttpsRedirection to Development so
the in-container HTTP listener doesn't redirect-loop.

New prod.docker-compose.yml runs the release image on plain HTTP
(5100:80), since Cloudflare Tunnel terminates TLS upstream. No dev cert
mount, restart=unless-stopped for reboot survival.

docker-run.ps1 retargeted to the new compose file; also fixes
pre-existing service-name mismatches in the logs/restart subcommands.

PHASE_A_DEPLOYMENT.md walks the host-side checklist (prereqs, .env,
cloudflared service install, verification) for the Windows rig.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Strategic plan doc for the Cloudflare Tunnel migration. Captures the
decisions already made (Tunnel as edge, drop YARP/Certes, fold the
trimmed model + UI into the main app), the file map for both phases,
verification gates, and notes for a Claude session picking the work up
on the Windows machine.

PHASE_A_DEPLOYMENT.md stays as the operational host checklist; this is
the higher-level companion.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@CodeLifterIO CodeLifterIO merged commit 2e8470c into main May 17, 2026
3 checks passed
@augmentcode

augmentcode Bot commented May 17, 2026

Copy link
Copy Markdown
🤖 Augment PR Summary

Summary: This PR updates StageZero’s Phase A deployment approach to run behind a Cloudflare Tunnel (Cloudflare terminates TLS; the container serves plain HTTP).

Changes:

  • Added forwarded-headers support in StageZero/Program.cs to respect X-Forwarded-For/X-Forwarded-Proto when running behind cloudflared.
  • Gated UseHttpsRedirection() to Development only to avoid redirecting to a non-existent in-container HTTPS listener in Production.
  • Added prod.docker-compose.yml to run the release container on HTTP (host port 5100 → container port 80) with a persisted /app-data volume.
  • Updated docker-run.ps1 to use the new production compose file and corrected the service name used by logs/restart.
  • Added PHASE_A_DEPLOYMENT.md and DEPLOYMENT_PLAN.md documenting the Phase A host checklist and the Phase B roadmap (API-managed tunnel).

Technical Notes: This setup assumes Cloudflare Tunnel is the edge layer (routing + TLS) and the app is not expected to serve HTTPS directly in Production.

🤖 Was this summary useful? React with 👍 or 👎

@augmentcode augmentcode Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 3 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

Comment thread StageZero/Program.cs
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.KnownIPNetworks.Clear();
options.KnownProxies.Clear();

@augmentcode augmentcode Bot May 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KnownIPNetworks.Clear()/KnownProxies.Clear() makes the app trust X-Forwarded-* from any direct caller, which can allow spoofed client IP/scheme if the app is reachable on the LAN/host port. If StageZero is expected to be accessed only via cloudflared, consider constraining where forwarded headers are accepted (or ensuring the container isn’t directly reachable except via the tunnel).

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Comment thread prod.docker-compose.yml
dockerfile: StageZero/Dockerfile
target: release
ports:
- "5100:80"

@augmentcode augmentcode Bot May 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Publishing "5100:80" binds the container port on all interfaces by default, which can unintentionally expose the HTTP app directly (bypassing Cloudflare/Tunnel). If the intent is “tunnel-only,” consider limiting exposure so only the local connector can reach it.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Comment thread docker-run.ps1
'up' {
Write-Host "Starting StageZero..." -ForegroundColor Green
docker-compose -f debug.docker-compose.yml up --build -d
docker-compose -f prod.docker-compose.yml up --build -d

@augmentcode augmentcode Bot May 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script assumes docker-compose is available; on some Docker Desktop installs only docker compose is present, which would make up/down/logs fail at runtime. Consider ensuring the prerequisites/docs match the exact command expected on the target host.

Severity: low

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

CodeLifterIO added a commit that referenced this pull request Jun 13, 2026
…agarin-9eedc4"

This reverts commit 2e8470c, reversing
changes made to dad209b.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant