feat(console): drop legacy console, ship web-studio in pip, keep favicon routes#2160
Merged
Merged
Conversation
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨No code suggestions found for the PR. |
ZaynJarvis
force-pushed
the
feat/remove-old-console
branch
from
355c83f to
2f8fa88
Compare
…o in pip, fix favicons The OpenViking docker image still launched the legacy `openviking/console` standalone service on port 8020. Now that web-studio is bundled into the OV server itself at /studio (see volcengine#2156), that process is redundant and the port is just a confusing artefact. This change retires the old console (python package + 8020 + console-frontend favicons) but **keeps the in-compose Caddy as a stable single-ingress on port 1934**, just simplified to one upstream now that there's no 8020. The server-side BFF at `openviking/server/routers/console.py` (under `/api/v1/console/*`) is also kept — web-studio uses the same endpoints. **The OAuth authorize page (`openviking/server/oauth/router.py`) is deliberately untouched in this PR** — the console-link button and Quick authorize same-origin panel will be re-pointed at web-studio in a focused follow-up. BREAKING CHANGES: - Port 8020 is gone from the docker image and docker-compose.yml; Caddy at 1934 now forwards everything to 1933 (web-studio lives at /studio there). Anything bookmarked at `http://host:8020/...` must migrate to `http://host:1933/studio/`. - `python -m openviking.console.bootstrap` no longer exists; the python package `openviking.console` has been removed. Pip packaging: - web-studio dist is now shipped inside the wheel under `openviking/web_studio/dist/` (mirroring the old `openviking/console/static/` layout). The dockerfile copies `--from=web-studio-builder /web-studio/dist` into the source tree before `uv sync`, so the wheel produced by the default docker build always carries the SPA. Building the wheel without running `npm run build` first leaves the directory empty, which gracefully degrades /studio to a 404 without breaking server startup. - Favicon assets (`favicon.ico` / `favicon-32.png` / `apple-touch-icon.png`, ~11 KB total) are duplicated into `openviking/server/static/` and shipped via package-data so `/favicon.*` and `/mcp/favicon.*` routes are always registered, regardless of whether the web-studio dist is bundled. - `pyproject.toml` and `setup.py` `package-data` drop `console/static/**` and add `server/static/**` + `web_studio/dist/**`. - New favicons (the 16/32/180 set in both `openviking/server/static/` and `web-studio/public/`) are downscaled from the canonical `web-studio/public/openviking-icon.png`, so the small-icon family matches the SPA's high-res rel="icon" target — the studio tab icon now stays consistent whether the browser uses the HTML link tag or falls back to auto-fetching `/favicon.ico`. Server: - `openviking/server/app.py` now reads `/studio` from `Path(__file__).parent.parent / 'web_studio' / 'dist'` by default; `OPENVIKING_WEB_STUDIO_DIR` still wins for dev mode pointing at a repo-local build. Favicon routes are unconditionally registered and load from `openviking/server/static/`. - `openviking/observability/usage_audit/projection.py` drops the legacy `/console/*` skip prefix (the BFF prefix `/api/v1/console/*` remains). Docker: - `web-studio-builder` stage moved earlier (Stage 2) so its dist can flow into `py-builder` before `uv sync` runs. - Runtime stage no longer separately copies the dist or sets `OPENVIKING_WEB_STUDIO_DIR`; the in-package path is the default. - Entrypoint renamed `openviking-console-entrypoint.sh` -> `openviking-entrypoint.sh` and stripped of the `python -m openviking.console.bootstrap` launch. - `EXPOSE 1933 8020` -> `EXPOSE 1933`. - `docker-compose.yml` drops the openviking service's 8020 port mapping; the caddy service stays but no longer needs port 8020 exposed. - `Caddyfile` simplified to a single `:1934 { reverse_proxy openviking:1933 }` — the legacy `/console/*` route to :8020 is gone. Docs: - en/zh quickstart updated to drop the 8020 mapping and explain that the API server now also serves `/studio`. - Other guides (`12-public-access.md`, `11-oauth.md`, `05-observability.md`, `04-setup-for-agent.md`, `03-deployment.md`) are intentionally left for a focused follow-up PR alongside the OAuth quick-authorize reintroduction. Tests: - Deleted `tests/misc/test_console_{proxy,static_assets}.py` (covered the removed console package). `tests/observability/test_console_router.py` stays — it covers the BFF, which remains.
ZaynJarvis
force-pushed
the
feat/remove-old-console
branch
from
2f8fa88 to
2d7fcf5
Compare
ZaynJarvis
changed the title
qin-ctx
approved these changes
May 21, 2026
19 tasks
ZaynJarvis
pushed a commit
that referenced
this pull request
May 21, 2026
#2160 dropped the legacy `/console` standalone service but deliberately left the OAuth authorize page's `/console` link and Quick-authorize panel in place, calling out a follow-up to re-point them at web-studio. This PR is that follow-up. Backend - `provider.authorize()` now defaults to redirecting to `/studio/oauth/consent` (same-origin SPA) instead of the server-rendered `/oauth/authorize/page`. New `FALLBACK_AUTHORIZE_PAGE` constant exposed for callers that need to opt into the legacy path. - New public endpoint `GET /api/v1/auth/oauth/pending/{pending_id}` returns the minimum info the consent UI needs (client_name, redirect_host, scopes); deliberately does NOT expose display_code or full redirect_uri. - `POST /api/v1/auth/oauth-verify` now accepts either `pending_id` (Studio consent path) or `code` (cross-device fallback). - HTML `/oauth/authorize/page` template stripped of `/console` link, the `/console/api/v1/...` JS, and the Quick-authorize same-origin panel. It now serves as a pure cross-device fallback that points users at `/studio/oauth/verify` on another already-signed-in device. Web Studio - New `<IdentityPicker>` shared component: "current identity" or "use a different API key" — the temporary key is never persisted. - New routes `/studio/oauth/consent` (same-device consent card) and `/studio/oauth/verify` (cross-device code entry). - ConnectionDialog gains an "OAuth client OTP" section (same IdentityPicker), driving `POST /api/v1/auth/otp`. - API key storage is unchanged: only sessionStorage. No new localStorage writes, no cross-tab channels — the consent UI runs inside Studio's own tab, so it reads the session-stored key directly. Docs - 11-oauth.md (zh/en): refreshed quickstart, How-it-works, Claude.ai walkthrough, curl example, and troubleshooting around the Studio consent / cross-device verify split. - 12-public-access.md (zh/en): rewritten to lead with public HTTPS; the `:1934` Caddy block is now a one-paragraph compatibility note for deployments that already bookmarked it. - mcp-oauth2-1.md: top-level "Studio migration" note explains the new default path; Phase 1 history retained. - Caddyfile / docker-compose.yml comments reworded from "aggregated proxy" to "legacy fallback" to match the new docs. Tests - `tests/server/oauth/test_router.py` fixture pins to FALLBACK_AUTHORIZE_PAGE so existing end-to-end assertions keep working. - 4 new tests cover the pending-info endpoint and pending_id verify path. - 55 passed locally; ruff format+check, web-studio tsc/eslint/prettier all clean. Security notes - Consent UI requires explicit user click; client_name + redirect_host shown for phishing identification. - Knowing a pending_id does not bypass Bearer auth. - display_code is not returned by GET pending — the cross-device brute-force protection is preserved. - `ctx.from_oauth` gate (router.py) untouched: OAuth bearer still cannot mint new OAuth state or OTPs.
3 tasks
qin-ctx
pushed a commit
that referenced
this pull request
May 21, 2026
…/studio) (#2175) Follow-up to #2160 (console removal) and #2170 (OAuth UI moved to web-studio). Six guides still showed the old `python -m openviking.console.bootstrap` launch + `-p 8020:8020` docker run snippets, which now fail because the console package is gone and the image no longer exposes 8020. - docs/{en,zh}/getting-started/04-setup-for-agent.md: drop `-p 8020:8020` from docker run and the "ports: 1933:1933, 8020:8020" summary; note that Web Studio is served by the OV server at `/studio` so no extra port is needed. - docs/{en,zh}/guides/03-deployment.md: drop 4× `-p 8020:8020` snippets, replace "OpenViking Console on port 8020" with the inline `/studio` mention, and update the "access this after startup" list to point at `http://localhost:1933/studio` (with 1934 documented as a legacy Caddy fallback consistent with the updated 12-public-access guide). - docs/{en,zh}/guides/05-observability.md: rewrite the "Web Studio for web-based investigation" section. The standalone-bootstrap launch is gone; instead direct readers to `/studio` and its observability-relevant pages — Home (token/retrieval/context-commit trends, /api/v1/console/* BFF), Request Logs (audit), Resources, Retrieval, Sessions. Update the "choose an entry point" table accordingly. docs/design/mcp-oauth2-1.md is intentionally untouched — it's a historical design document. The README inside openviking/observability/usage_audit/ and 12-public-access.md were already updated in earlier PRs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to #2156. Retires the legacy
openviking/consolestandalone service end-to-end (python package, docker port 8020,python -m openviking.console.bootstrap), ships the new web-studio SPA inside the pip wheel (mirroring the oldconsole/staticpackaging layout), and decouples the/favicon.*//mcp/favicon.*routes from the web-studio bundle so they never 404 — including in pip-only installs.Kept on purpose:
openviking/server/routers/console.py(under/api/v1/console/*) — web-studio uses the same endpoints.reverse_proxy openviking:1933) now that 8020 is gone.openviking/server/oauth/router.py— the console-link button and Quick authorize same-origin panel are not touched in this PR. They'll be re-pointed at web-studio in a focused follow-up. Until then, the panel never activates (no console means noov_console_api_keyin localStorage), and the link opens/consolewhich 404s. Both are harmless cosmetic degradations.Type of Change
openviking.consolepackage)openviking/web_studio/dist)Breaking changes
http://host:8020/...must migrate tohttp://host:1933/studio/. Image'sEXPOSEis now just1933; docker-compose drops the 8020 mapping. Caddy at 1934 still works as before, now just one upstream.python -m openviking.console.bootstrapremoved. The standalone console package is deleted along with its tests.Changes Made
Pip packaging
openviking/web_studio/__init__.pymakesweb_studio/a python subpackage, withdist/**shipped viapyproject.tomlandsetup.pypackage-data.favicon.ico/favicon-32.png/apple-touch-icon.png, ~11 KB total) duplicated intoopenviking/server/static/so the routes always work even without a web-studio build.openviking/server/static/andweb-studio/public/) are now downscaled from the canonicalweb-studio/public/openviking-icon.png, so the studio tab icon stays consistent whether the browser uses the HTMLrel="icon"link tag or falls back to auto-fetching/favicon.ico.package-datalostconsole/static/**and gainedserver/static/**+web_studio/dist/**.Server
openviking/server/app.pynow reads/studiofromPath(__file__).parent.parent / 'web_studio' / 'dist'by default;OPENVIKING_WEB_STUDIO_DIRstill wins for dev mode pointing at a repo-local build. Favicon routes are unconditionally registered and load fromopenviking/server/static/.openviking/observability/usage_audit/projection.pydrops the legacy/console/*skip prefix (the BFF prefix/api/v1/console/*remains skipped).openviking/server/oauth/router.pyis NOT modified — deferred to the follow-up PR.Docker
web-studio-builderstage moved earlier (Stage 2) so its dist can flow intopy-builderbeforeuv syncruns.OPENVIKING_WEB_STUDIO_DIR.openviking-console-entrypoint.sh→openviking-entrypoint.shand stripped of thepython -m openviking.console.bootstraplaunch.docker-compose.ymldrops the openviking service's 8020 port mapping; the caddy service stays.Caddyfilesimplified to a single:1934 { reverse_proxy openviking:1933 }— the legacy/console/*→ :8020 route is gone.EXPOSE 1933 8020→EXPOSE 1933.Docs (minimal — heavy rewrite deferred)
docs/{en,zh}/getting-started/02-quickstart.mddrop the 8020 line and explain that the API server also serves/studio.openviking/observability/usage_audit/README.mdupdates the audit-skip list.12-public-access.md,11-oauth.md,05-observability.md,04-setup-for-agent.md,03-deployment.md,mcp-oauth2-1.mddesign doc) intentionally left for a focused follow-up PR alongside the OAuth quick-authorize reintroduction. Flagging here so reviewers don't miss them.Tests
tests/misc/test_console_{proxy,static_assets}.py(covered the removed package).tests/observability/test_console_router.pykept — it exercises the BFF, which stays.Testing
python -m py_compileon every touched python file passes.openviking.observability.usage_audit.projection.should_skip_audit_routebehavior verified —/api/v1/console/*still skipped, legacy/console/*no longer skipped.build-docker-image.ymlruns on this branch — most important verification, I'll watch the CI run.Additional Notes