@neuralnomads/codenomad-dev 0.15.0-dev-20260509-71531697 → 0.15.0-dev-20260511-efe3f505

package/dist/index.js

@@ -25,6 +25,7 @@ import { resolveNetworkAddresses, resolveRemoteAddresses } from "./server/networ
 import { startDevReleaseMonitor } from "./releases/dev-release-monitor";
 import { SpeechService } from "./speech/service";
 import { SideCarManager } from "./sidecars/manager";
+import { PreviewManager } from "./previews/manager";
 import { ClientConnectionManager } from "./clients/connection-manager";
 import { PluginChannelManager } from "./plugins/channel";
 import { VoiceModeManager } from "./plugins/voice-mode";
@@ -230,6 +231,7 @@ async function main() {
         eventBus,
         logger: logger.child({ component: "sidecars" }),
     });
+    const previewManager = new PreviewManager();
     const instanceEventBridge = new InstanceEventBridge({
         workspaceManager,
         eventBus,
@@ -313,6 +315,7 @@ async function main() {
             instanceStore,
             speechService,
             sidecarManager,
+            previewManager,
             authManager,
             clientConnectionManager,
             pluginChannel,
@@ -338,6 +341,7 @@ async function main() {
             instanceStore,
             speechService,
             sidecarManager,
+            previewManager,
             authManager,
             clientConnectionManager,
             pluginChannel,

package/dist/previews/manager.js

@@ -0,0 +1,63 @@
+import { randomUUID } from "crypto";
+export class PreviewManager {
+    constructor() {
+        this.previews = new Map();
+    }
+    create(sessionId, rawUrl) {
+        const target = this.normalizeTargetUrl(rawUrl);
+        const token = randomUUID();
+        const record = {
+            token,
+            sessionId,
+            target,
+            createdAt: new Date().toISOString(),
+        };
+        this.previews.set(token, record);
+        return this.toPreviewSession(record);
+    }
+    get(token) {
+        const record = this.previews.get(token);
+        return record ? this.toPreviewSession(record) : undefined;
+    }
+    delete(token) {
+        return this.previews.delete(token);
+    }
+    buildTargetUrl(token, incomingPath, search = "") {
+        const record = this.previews.get(token);
+        if (!record)
+            return undefined;
+        const publicBase = this.buildProxyBasePath(token);
+        let targetPath = incomingPath.startsWith(publicBase) ? incomingPath.slice(publicBase.length) : incomingPath;
+        if (!targetPath || targetPath === "/") {
+            targetPath = record.target.pathname || "/";
+        }
+        else if (!targetPath.startsWith("/")) {
+            targetPath = `/${targetPath}`;
+        }
+        return new URL(`${targetPath}${search}`, record.target.origin);
+    }
+    buildProxyBasePath(token) {
+        return `/previews/${encodeURIComponent(token)}`;
+    }
+    normalizeTargetUrl(rawUrl) {
+        const trimmed = rawUrl.trim();
+        const withProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmed) ? trimmed : `https://${trimmed}`;
+        const target = new URL(withProtocol);
+        if (target.protocol !== "http:" && target.protocol !== "https:") {
+            throw new Error("Preview URL must use HTTP or HTTPS");
+        }
+        if (target.username || target.password) {
+            throw new Error("Preview URL cannot include credentials");
+        }
+        return target;
+    }
+    toPreviewSession(record) {
+        return {
+            token: record.token,
+            sessionId: record.sessionId,
+            targetUrl: record.target.toString(),
+            proxyUrl: `${this.buildProxyBasePath(record.token)}${record.target.pathname}${record.target.search}${record.target.hash}`,
+            createdAt: record.createdAt,
+        };
+    }
+}

package/dist/server/http-server.js

@@ -22,6 +22,7 @@ import { registerSpeechRoutes } from "./routes/speech";
 import { registerRemoteServerRoutes } from "./routes/remote-servers";
 import { registerRemoteProxyRoutes } from "./routes/remote-proxy";
 import { registerSideCarRoutes } from "./routes/sidecars";
+import { registerPreviewRoutes } from "./routes/previews";
 import { BackgroundProcessManager } from "../background-processes/manager";
 import { registerAuthRoutes } from "./routes/auth";
 import { sendUnauthorized, wantsHtml } from "../auth/http-auth";
@@ -148,7 +149,7 @@ export function createHttpServer(deps) {
             return;
         }
         const session = deps.authManager.getSessionFromRequest(request);
-        const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/") || pathname.startsWith("/sidecars/");
+        const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/") || pathname.startsWith("/sidecars/") || pathname.startsWith("/previews/");
         if (requiresAuthForApi && !session) {
             // Allow OpenCode plugin -> CodeNomad calls with per-instance basic auth.
             const pluginMatch = pathname.match(/^\/workspaces\/([^/]+)\/plugin(?:\/|$)/);
@@ -210,12 +211,19 @@ export function createHttpServer(deps) {
     registerRemoteProxyRoutes(app, { logger: proxyLogger, sessionManager: deps.remoteProxySessionManager });
     registerSpeechRoutes(app, { speechService: deps.speechService });
     registerSideCarRoutes(app, { sidecarManager: deps.sidecarManager });
+    registerPreviewRoutes(app, { previewManager: deps.previewManager });
     registerSideCarProxyRoutes(app, { sidecarManager: deps.sidecarManager, logger: proxyLogger });
+    registerPreviewProxyRoutes(app, { previewManager: deps.previewManager, logger: proxyLogger });
     setupSideCarWebSocketProxy(app, {
         sidecarManager: deps.sidecarManager,
         authManager: deps.authManager,
         logger: proxyLogger,
     });
+    setupPreviewWebSocketProxy(app, {
+        previewManager: deps.previewManager,
+        authManager: deps.authManager,
+        logger: proxyLogger,
+    });
     registerPluginRoutes(app, {
         workspaceManager: deps.workspaceManager,
         eventBus: deps.eventBus,
@@ -226,10 +234,10 @@ export function createHttpServer(deps) {
     registerBackgroundProcessRoutes(app, { backgroundProcessManager });
     registerInstanceProxyRoutes(app, { workspaceManager: deps.workspaceManager, logger: proxyLogger });
     if (deps.uiDevServerUrl) {
-        setupDevProxy(app, deps.uiDevServerUrl, deps.authManager);
+        setupDevProxy(app, deps.uiDevServerUrl, deps.authManager, deps.previewManager, proxyLogger);
     }
     else {
-        setupStaticUi(app, deps.uiStaticDir, deps.authManager);
+        setupStaticUi(app, deps.uiStaticDir, deps.authManager, deps.previewManager, proxyLogger);
     }
     return {
         instance: app,
@@ -306,6 +314,28 @@ function registerSideCarProxyRoutes(app, deps) {
     app.all("/sidecars/:id", proxyBaseHandler);
     app.all("/sidecars/:id/*", proxyWildcardHandler);
 }
+function registerPreviewProxyRoutes(app, deps) {
+    const proxyBaseHandler = async (request, reply) => {
+        await proxyPreviewRequest({
+            request,
+            reply,
+            previewManager: deps.previewManager,
+            logger: deps.logger,
+            pathSuffix: "",
+        });
+    };
+    const proxyWildcardHandler = async (request, reply) => {
+        await proxyPreviewRequest({
+            request,
+            reply,
+            previewManager: deps.previewManager,
+            logger: deps.logger,
+            pathSuffix: request.params["*"] ?? "",
+        });
+    };
+    app.all("/previews/:token", proxyBaseHandler);
+    app.all("/previews/:token/*", proxyWildcardHandler);
+}
 function setupSideCarWebSocketProxy(app, deps) {
     app.server.on("upgrade", (request, socket, head) => {
         const rawUrl = request.url ?? "/";
@@ -326,6 +356,26 @@ function setupSideCarWebSocketProxy(app, deps) {
         });
     });
 }
+function setupPreviewWebSocketProxy(app, deps) {
+    app.server.on("upgrade", (request, socket, head) => {
+        const rawUrl = request.url ?? "/";
+        const parsed = parsePreviewUpgradePath(rawUrl);
+        if (!parsed) {
+            return;
+        }
+        void proxyPreviewWebSocketUpgrade({
+            request,
+            socket: socket,
+            head,
+            token: parsed.token,
+            incomingPath: parsed.pathname,
+            search: parsed.search,
+            previewManager: deps.previewManager,
+            authManager: deps.authManager,
+            logger: deps.logger,
+        });
+    });
+}
 function registerInstanceProxyRoutes(app, deps) {
     app.register(async (instance) => {
         instance.removeAllContentTypeParsers();
@@ -608,7 +658,7 @@ function normalizeInstanceSuffix(pathSuffix) {
     const trimmed = pathSuffix.replace(/^\/+/, "");
     return trimmed.length === 0 ? "/" : `/${trimmed}`;
 }
-function setupStaticUi(app, uiDir, authManager) {
+function setupStaticUi(app, uiDir, authManager, previewManager, logger) {
     if (!uiDir) {
         app.log.warn("UI static directory not provided; API endpoints only");
         return;
@@ -617,6 +667,13 @@ function setupStaticUi(app, uiDir, authManager) {
         app.log.warn({ uiDir }, "UI static directory missing; API endpoints only");
         return;
     }
+    app.addHook("preHandler", (request, reply, done) => {
+        const session = authManager.getSessionFromRequest(request);
+        if (session && proxyPreviewFallbackFromReferer(request, reply, previewManager, logger)) {
+            return;
+        }
+        done();
+    });
     app.register(fastifyStatic, {
         root: uiDir,
         prefix: "/",
@@ -630,6 +687,9 @@ function setupStaticUi(app, uiDir, authManager) {
             return;
         }
         const session = authManager.getSessionFromRequest(request);
+        if (session && proxyPreviewFallbackFromReferer(request, reply, previewManager, logger)) {
+            return;
+        }
         if (!session && wantsHtml(request)) {
             reply.redirect("/login");
             return;
@@ -642,7 +702,7 @@ function setupStaticUi(app, uiDir, authManager) {
         }
     });
 }
-function setupDevProxy(app, upstreamBase, authManager) {
+function setupDevProxy(app, upstreamBase, authManager, previewManager, logger) {
     app.log.info({ upstreamBase }, "Proxying UI requests to development server");
     app.setNotFoundHandler((request, reply) => {
         const url = request.raw.url ?? "";
@@ -651,6 +711,9 @@ function setupDevProxy(app, upstreamBase, authManager) {
             return;
         }
         const session = authManager.getSessionFromRequest(request);
+        if (session && proxyPreviewFallbackFromReferer(request, reply, previewManager, logger)) {
+            return;
+        }
         if (!session && wantsHtml(request)) {
             reply.redirect("/login");
             return;
@@ -658,6 +721,45 @@ function setupDevProxy(app, upstreamBase, authManager) {
         void proxyToDevServer(request, reply, upstreamBase);
     });
 }
+function proxyPreviewFallbackFromReferer(request, reply, previewManager, logger) {
+    const rawUrl = request.raw.url ?? request.url ?? "";
+    const pathname = rawUrl.split("?")[0] ?? "";
+    if (!isPreviewFallbackPath(pathname)) {
+        return false;
+    }
+    const refererHeader = request.headers.referer ?? request.headers.referrer;
+    const referer = Array.isArray(refererHeader) ? refererHeader[0] : refererHeader;
+    if (!referer) {
+        return false;
+    }
+    const parsed = parsePreviewUpgradePath(referer);
+    if (!parsed) {
+        return false;
+    }
+    void proxyPreviewAssetRequest({
+        request,
+        reply,
+        previewManager,
+        logger,
+        token: parsed.token,
+    });
+    return true;
+}
+function isPreviewFallbackPath(pathname) {
+    if (!pathname || pathname === "/")
+        return false;
+    if (pathname.startsWith("/api/") || pathname === "/api")
+        return false;
+    if (pathname.startsWith("/workspaces/"))
+        return false;
+    if (pathname.startsWith("/sidecars/"))
+        return false;
+    if (pathname.startsWith("/previews/"))
+        return false;
+    if (pathname.startsWith("/auth/") || pathname === "/login")
+        return false;
+    return true;
+}
 async function proxyToDevServer(request, reply, upstreamBase) {
     try {
         const targetUrl = new URL(request.raw.url ?? "/", upstreamBase);
@@ -698,6 +800,69 @@ function buildProxyHeaders(headers) {
     }
     return result;
 }
+function buildFetchProxyHeaders(headers, targetOrigin) {
+    const sanitized = sanitizeSideCarProxyRequestHeaders(headers, targetOrigin);
+    const result = {};
+    for (const [key, value] of Object.entries(sanitized)) {
+        if (!value)
+            continue;
+        if (key.toLowerCase() === "cookie")
+            continue;
+        result[key] = Array.isArray(value) ? value.join(",") : value;
+    }
+    return result;
+}
+function headersToRecord(headers) {
+    const result = {};
+    headers.forEach((value, key) => {
+        result[key.toLowerCase()] = value;
+    });
+    return result;
+}
+function getHeaderValue(headers, key) {
+    const value = headers[key.toLowerCase()];
+    return Array.isArray(value) ? value[0] : value;
+}
+function shouldForwardRequestBody(method) {
+    const normalized = method.toUpperCase();
+    return normalized !== "GET" && normalized !== "HEAD";
+}
+function isHtmlContentType(contentType) {
+    const normalized = contentType.toLowerCase();
+    return normalized.includes("text/html") || normalized.includes("application/xhtml+xml");
+}
+function isCssContentType(contentType) {
+    return contentType.toLowerCase().includes("text/css");
+}
+function rewritePreviewBodyUrls(body, publicBase, kind) {
+    if (kind === "css") {
+        return rewriteCssPreviewUrls(body, publicBase);
+    }
+    return rewriteCssPreviewUrls(body
+        .replace(/\b(src|href|action|poster|data)=(["'])\/(?!\/)([^"']*)\2/gi, (_match, attr, quote, pathValue) => {
+        return `${attr}=${quote}${publicBase}/${pathValue}${quote}`;
+    })
+        .replace(/\bsrcset=(["'])([^"']*)\1/gi, (_match, quote, value) => {
+        return `srcset=${quote}${rewriteSrcsetPreviewUrls(value, publicBase)}${quote}`;
+    }), publicBase);
+}
+function rewriteCssPreviewUrls(body, publicBase) {
+    return body.replace(/url\((\s*)(["']?)\/(?!\/)([^"')]+)\2(\s*)\)/gi, (_match, before, quote, pathValue, after) => {
+        return `url(${before}${quote}${publicBase}/${pathValue}${quote}${after})`;
+    });
+}
+function rewriteSrcsetPreviewUrls(value, publicBase) {
+    return value
+        .split(",")
+        .map((entry) => {
+        const trimmed = entry.trimStart();
+        if (!trimmed.startsWith("/") || trimmed.startsWith("//"))
+            return entry;
+        const leading = entry.slice(0, entry.length - trimmed.length);
+        return `${leading}${publicBase}${trimmed}`;
+    })
+        .join(",");
+}
 async function proxySideCarRequest(args) {
     const sidecarId = args.request.params.id ?? "";
     const sidecar = await args.sidecarManager.get(sidecarId);
@@ -714,13 +879,113 @@ async function proxySideCarRequest(args) {
     const targetOrigin = args.sidecarManager.buildTargetOrigin(sidecar);
     const targetUrl = `${targetOrigin}${targetPath}`;
     args.logger.debug({ sidecarId: sidecar.id, targetUrl, pathname, prefixMode: sidecar.prefixMode }, "Proxying request to SideCar");
-    await args.reply.from(targetUrl, {
-        rewriteRequestHeaders: (_originalRequest, headers) => sanitizeSideCarProxyRequestHeaders(headers, targetOrigin),
+    await proxyTargetRequest({
+        reply: args.reply,
+        logger: args.logger,
+        targetUrl,
+        targetOrigin,
+        logContext: { sidecarId: sidecar.id },
+        errorMessage: "SideCar proxy failed",
         rewriteHeaders: (headers) => rewriteSideCarResponseHeaders(headers, sidecarId, targetOrigin, sidecar.prefixMode),
+    });
+}
+async function proxyPreviewRequest(args) {
+    const token = args.request.params.token ?? "";
+    const preview = args.previewManager.get(token);
+    if (!preview) {
+        args.reply.code(404).send({ error: "Preview not found" });
+        return;
+    }
+    const rawUrl = args.request.raw.url ?? args.request.url ?? "";
+    const queryIndex = rawUrl.indexOf("?");
+    const search = queryIndex >= 0 ? rawUrl.slice(queryIndex) : "";
+    const pathSuffix = args.pathSuffix ?? "";
+    const requestPath = pathSuffix ? `${args.previewManager.buildProxyBasePath(token)}/${pathSuffix.replace(/^\/+/, "")}` : args.previewManager.buildProxyBasePath(token);
+    const targetUrl = args.previewManager.buildTargetUrl(token, requestPath, search);
+    if (!targetUrl) {
+        args.reply.code(404).send({ error: "Preview not found" });
+        return;
+    }
+    args.logger.debug({ previewToken: token, targetUrl: targetUrl.toString() }, "Proxying request to preview");
+    await proxyPreviewTargetRequest({
+        request: args.request,
+        reply: args.reply,
+        logger: args.logger,
+        targetUrl: targetUrl.toString(),
+        targetOrigin: targetUrl.origin,
+        publicBase: args.previewManager.buildProxyBasePath(token),
+        logContext: { previewToken: token },
+        errorMessage: "Preview proxy failed",
+        rewriteHeaders: (headers) => rewritePreviewResponseHeaders(headers, token, targetUrl.origin),
+    });
+}
+async function proxyPreviewAssetRequest(args) {
+    const rawUrl = args.request.raw.url ?? args.request.url ?? "";
+    const queryIndex = rawUrl.indexOf("?");
+    const search = queryIndex >= 0 ? rawUrl.slice(queryIndex) : "";
+    const pathname = rawUrl.split("?")[0] ?? "/";
+    const targetUrl = args.previewManager.buildTargetUrl(args.token, pathname, search);
+    if (!targetUrl) {
+        args.reply.code(404).send({ error: "Preview not found" });
+        return;
+    }
+    args.logger.debug({ previewToken: args.token, targetUrl: targetUrl.toString() }, "Proxying preview fallback asset");
+    await proxyPreviewTargetRequest({
+        request: args.request,
+        reply: args.reply,
+        logger: args.logger,
+        targetUrl: targetUrl.toString(),
+        targetOrigin: targetUrl.origin,
+        publicBase: args.previewManager.buildProxyBasePath(args.token),
+        logContext: { previewToken: args.token, previewFallback: true },
+        errorMessage: "Preview proxy failed",
+        rewriteHeaders: (headers) => rewritePreviewResponseHeaders(headers, args.token, targetUrl.origin),
+    });
+}
+async function proxyPreviewTargetRequest(args) {
+    try {
+        const response = await fetch(args.targetUrl, {
+            method: args.request.method,
+            headers: buildFetchProxyHeaders(args.request.headers, args.targetOrigin),
+            body: shouldForwardRequestBody(args.request.method) ? args.request.raw : undefined,
+            duplex: shouldForwardRequestBody(args.request.method) ? "half" : undefined,
+            redirect: "manual",
+        });
+        const headers = args.rewriteHeaders(headersToRecord(response.headers));
+        const contentType = getHeaderValue(headers, "content-type") ?? response.headers.get("content-type") ?? "";
+        delete headers["content-length"];
+        delete headers["content-encoding"];
+        for (const [key, value] of Object.entries(headers)) {
+            if (value !== undefined)
+                args.reply.header(key, value);
+        }
+        args.reply.code(response.status);
+        if (!response.body || args.request.method === "HEAD") {
+            args.reply.send();
+            return;
+        }
+        if (isHtmlContentType(contentType) || isCssContentType(contentType)) {
+            const text = await response.text();
+            args.reply.send(rewritePreviewBodyUrls(text, args.publicBase, isCssContentType(contentType) ? "css" : "html"));
+            return;
+        }
+        args.reply.send(Buffer.from(await response.arrayBuffer()));
+    }
+    catch (error) {
+        args.logger.error({ ...args.logContext, err: error, targetUrl: args.targetUrl }, args.errorMessage);
+        if (!args.reply.sent) {
+            args.reply.code(502).send({ error: args.errorMessage });
+        }
+    }
+}
+async function proxyTargetRequest(args) {
+    await args.reply.from(args.targetUrl, {
+        rewriteRequestHeaders: (_originalRequest, headers) => sanitizeSideCarProxyRequestHeaders(headers, args.targetOrigin),
+        rewriteHeaders: args.rewriteHeaders,
         onError: (reply, { error }) => {
-            args.logger.error({ sidecarId: sidecar.id, err: error, targetUrl }, "Failed to proxy SideCar request");
+            args.logger.error({ ...args.logContext, err: error, targetUrl: args.targetUrl }, args.errorMessage);
             if (!reply.sent) {
-                reply.code(502).send({ error: "SideCar proxy failed" });
+                reply.code(502).send({ error: args.errorMessage });
             }
         },
     });
@@ -748,6 +1013,29 @@ function parseSideCarUpgradePath(rawUrl) {
         return null;
     }
 }
+function parsePreviewUpgradePath(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl, "http://localhost");
+    }
+    catch {
+        return null;
+    }
+    const match = parsed.pathname.match(/^\/previews\/([^/]+)(?:\/.*)?$/);
+    if (!match) {
+        return null;
+    }
+    try {
+        return {
+            token: decodeURIComponent(match[1] ?? ""),
+            pathname: parsed.pathname,
+            search: parsed.search,
+        };
+    }
+    catch {
+        return null;
+    }
+}
 async function proxySideCarWebSocketUpgrade(args) {
     const { request, socket, head, sidecarId, incomingPath, search, sidecarManager, authManager, logger } = args;
     if (!isWebSocketUpgradeRequest(request)) {
@@ -768,6 +1056,46 @@ async function proxySideCarWebSocketUpgrade(args) {
     const targetPath = sidecarManager.buildTargetPath(sidecarId, incomingPath, search);
     const targetUrl = new URL(`${targetOrigin}${targetPath}`);
     logger.debug({ sidecarId, targetUrl: targetUrl.toString(), prefixMode: sidecar.prefixMode }, "Proxying websocket to SideCar");
+    proxyTargetWebSocketUpgrade({
+        request,
+        socket,
+        head,
+        targetUrl,
+        logger,
+        logContext: { sidecarId },
+        proxyLabel: "SideCar",
+    });
+}
+async function proxyPreviewWebSocketUpgrade(args) {
+    const { request, socket, head, token, incomingPath, search, previewManager, authManager, logger } = args;
+    if (!isWebSocketUpgradeRequest(request)) {
+        rejectUpgrade(socket, 400, "Bad Request");
+        return;
+    }
+    const session = authManager.getSessionFromHeaders(request.headers);
+    if (!session) {
+        rejectUpgrade(socket, 401, "Unauthorized");
+        return;
+    }
+    const targetUrl = previewManager.buildTargetUrl(token, incomingPath, search);
+    if (!targetUrl) {
+        rejectUpgrade(socket, 404, "Not Found");
+        return;
+    }
+    logger.debug({ previewToken: token, targetUrl: targetUrl.toString() }, "Proxying websocket to preview");
+    proxyTargetWebSocketUpgrade({
+        request,
+        socket,
+        head,
+        targetUrl,
+        logger,
+        logContext: { previewToken: token },
+        proxyLabel: "preview",
+        stripCookies: true,
+    });
+}
+function proxyTargetWebSocketUpgrade(args) {
+    const { request, socket, head, targetUrl, logger, logContext, proxyLabel, stripCookies } = args;
     const { socket: upstream, readyEvent } = createSideCarUpstreamSocket(targetUrl);
     const closeBoth = () => {
         if (!socket.destroyed) {
@@ -778,21 +1106,21 @@ async function proxySideCarWebSocketUpgrade(args) {
         }
     };
     upstream.once("error", (error) => {
-        logger.error({ sidecarId, err: error, targetUrl: targetUrl.toString() }, "Failed to proxy SideCar websocket");
+        logger.error({ ...logContext, err: error, targetUrl: targetUrl.toString() }, `Failed to proxy ${proxyLabel} websocket`);
         rejectUpgrade(socket, 502, "Bad Gateway");
         if (!upstream.destroyed) {
             upstream.destroy();
         }
     });
     socket.once("error", (error) => {
-        logger.debug({ sidecarId, err: error }, "SideCar websocket client socket errored");
+        logger.debug({ ...logContext, err: error }, `${proxyLabel} websocket client socket errored`);
         if (!upstream.destroyed) {
             upstream.destroy();
         }
     });
     upstream.once(readyEvent, () => {
         try {
-            upstream.write(buildSideCarWebSocketRequest(request, targetUrl));
+            upstream.write(buildSideCarWebSocketRequest(request, targetUrl, { stripCookies }));
             if (head.length > 0) {
                 upstream.write(head);
             }
@@ -800,7 +1128,7 @@ async function proxySideCarWebSocketUpgrade(args) {
             socket.pipe(upstream);
         }
         catch (error) {
-            logger.error({ sidecarId, err: error, targetUrl: targetUrl.toString() }, "Failed to forward SideCar websocket upgrade");
+            logger.error({ ...logContext, err: error, targetUrl: targetUrl.toString() }, `Failed to forward ${proxyLabel} websocket upgrade`);
             closeBoth();
         }
     });
@@ -832,7 +1160,7 @@ function createSideCarUpstreamSocket(targetUrl) {
         readyEvent: "connect",
     };
 }
-function buildSideCarWebSocketRequest(request, targetUrl) {
+function buildSideCarWebSocketRequest(request, targetUrl, options) {
     const pathWithQuery = `${targetUrl.pathname}${targetUrl.search}`;
     const requestLine = `${request.method ?? "GET"} ${pathWithQuery} HTTP/${request.httpVersion}\r\n`;
     const headerLines = [];
@@ -846,6 +1174,8 @@ function buildSideCarWebSocketRequest(request, targetUrl) {
         const lower = key.toLowerCase();
         if (blockedHeaders.has(lower))
             continue;
+        if (options?.stripCookies && lower === "cookie")
+            continue;
         if (lower === "origin") {
             headerLines.push(`Origin: ${targetUrl.origin}\r\n`);
             continue;
@@ -899,6 +1229,34 @@ function rewriteSideCarResponseHeaders(headers, sidecarId, targetOrigin, prefixM
     }
     return next;
 }
+function rewritePreviewResponseHeaders(headers, token, targetOrigin) {
+    const next = { ...headers };
+    delete next["x-frame-options"];
+    delete next["content-security-policy"];
+    delete next["content-security-policy-report-only"];
+    delete next["set-cookie"];
+    delete next["set-cookie2"];
+    const locationHeader = next.location;
+    const location = Array.isArray(locationHeader) ? locationHeader[0] : locationHeader;
+    if (!location) {
+        return next;
+    }
+    const publicBase = `/previews/${encodeURIComponent(token)}`;
+    if (location.startsWith("/")) {
+        next.location = `${publicBase}${location}`;
+        return next;
+    }
+    try {
+        const parsed = new URL(location);
+        if (parsed.origin === targetOrigin) {
+            next.location = `${publicBase}${parsed.pathname}${parsed.search}${parsed.hash}`;
+        }
+    }
+    catch {
+        // Relative redirects should continue to resolve against the current preview path.
+    }
+    return next;
+}
 function sanitizeSideCarProxyRequestHeaders(headers, targetOrigin) {
     const blockedHeaders = getBlockedSideCarRequestHeaders();
     const next = {};

package/dist/server/routes/previews.js

@@ -0,0 +1,25 @@
+import { z } from "zod";
+const PreviewCreateSchema = z.object({
+    sessionId: z.string().trim().min(1),
+    url: z.string().trim().min(1),
+});
+export function registerPreviewRoutes(app, deps) {
+    app.post("/api/previews", async (request, reply) => {
+        try {
+            const body = PreviewCreateSchema.parse(request.body ?? {});
+            return deps.previewManager.create(body.sessionId, body.url);
+        }
+        catch (error) {
+            reply.code(400);
+            return { error: error instanceof Error ? error.message : "Failed to create preview" };
+        }
+    });
+    app.delete("/api/previews/:token", async (request, reply) => {
+        const removed = deps.previewManager.delete(request.params.token);
+        if (!removed) {
+            reply.code(404);
+            return { error: "Preview not found" };
+        }
+        reply.code(204);
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@neuralnomads/codenomad-dev",
-  "version": "0.15.0-dev-20260509-71531697",
+  "version": "0.15.0-dev-20260511-efe3f505",
   "description": "CodeNomad Server",
   "license": "MIT",
   "author": {