@opencode-cloud/core 3.3.0 → 4.0.1

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "3.3.0"
+version = "4.0.1"
 edition = "2024"
 rust-version = "1.88"
 license = "MIT"

package/README.md

@@ -8,8 +8,13 @@
 [![MSRV](https://img.shields.io/badge/MSRV-1.85-blue.svg)](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0.html)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
+> [!WARNING]
+> This project is a work in progress and evolving rapidly. Use with caution.
+
 A production-ready toolkit for deploying and managing [opencode](https://github.com/anomalyco/opencode) as a persistent cloud service, **sandboxed inside a Docker container** for isolation and security.
 
+This project uses the opencode fork at https://github.com/pRizz/opencode, which adds additional authentication and security features.
+
 ## Quick install (cargo)
 
 ```bash
@@ -19,12 +24,14 @@ opencode-cloud --version
 
 ## Deploy to AWS
 
-[![Deploy to AWS](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://raw.githubusercontent.com/pRizz/opencode-cloud/main/infra/aws/cloudformation/opencode-cloud-quick.yaml)
+[![Deploy to AWS](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://opencode-cloud-templates.s3.us-east-2.amazonaws.com/cloudformation/opencode-cloud-quick.yaml)
 
 Quick deploy provisions a private EC2 instance behind a public ALB with HTTPS.
 **A domain name is required** for ACM certificate validation.
+**A Route53 hosted zone ID is required** for automated DNS validation.
 
-Docs: `docs/deploy/aws.md` (includes teardown steps)
+Docs: `docs/deploy/aws.md` (includes teardown steps and S3 hosting setup for forks)
+Credentials: `docs/deploy/aws.md#retrieving-credentials`
 
 ## Features
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "3.3.0",
+  "version": "4.0.1",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/docker/Dockerfile

@@ -104,8 +104,6 @@ RUN --mount=type=cache,target=/var/lib/apt/lists \
     netcat-openbsd=1.226-* \
     iputils-ping=3:20240117-* \
     dnsutils=1:9.18.* \
-    # Reverse proxy for opencode UI + API
-    nginx=1.24.* \
     # Compression
     zip=3.0-* \
     unzip=6.0-* \
@@ -505,7 +503,7 @@ RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshr
 # This block includes:
 # - opencode build (backend binary) + app build (frontend dist)
 # - opencode-broker build
-# - nginx config for single-endpoint UI + API proxy
+# - opencode web build + runtime
 # - PAM configuration + systemd services
 # - opencode config file
 #
@@ -517,7 +515,7 @@ RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshr
 # Clone the fork and build opencode from source (as non-root user)
 # Pin to specific commit for reproducibility
 # Build opencode from source (BuildKit cache mounts disabled for now)
-RUN OPENCODE_COMMIT="34db1c9b23441b3b3a125c107149f346f9fdb96e" \
+RUN OPENCODE_COMMIT="9b91eb17f5ca1b0ee99cfaa0b4c87da6dbe9e784" \
     && rm -rf /tmp/opencode-repo \
     && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
     && cd /tmp/opencode-repo \
@@ -526,13 +524,15 @@ RUN OPENCODE_COMMIT="34db1c9b23441b3b3a125c107149f346f9fdb96e" \
     && curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.5" \
     && export PATH="/home/opencode/.bun/bin:${PATH}" \
     && bun install --frozen-lockfile \
-    && bun run packages/opencode/script/build.ts --single \
-    && cd packages/app \
-    && bun run build \
+    && cd packages/opencode \
+    && export VITE_OPENCODE_SERVER_URL="http://localhost:3000" \
+    && bun run build-single-ui \
     && rm -rf /home/opencode/.bun/install/cache /home/opencode/.bun/cache /home/opencode/.cache/bun \
     && cd /tmp/opencode-repo \
     && mkdir -p /home/opencode/.local/share/opencode/bin \
+    && mkdir -p /home/opencode/.local/share/opencode/ui \
     && cp /tmp/opencode-repo/packages/opencode/dist/opencode-*/bin/opencode /home/opencode/.local/share/opencode/bin/opencode \
+    && cp -R /tmp/opencode-repo/packages/opencode/dist/opencode-*/ui/. /home/opencode/.local/share/opencode/ui/ \
     && chown -R opencode:opencode /home/opencode/.local/share/opencode \
     && chmod +x /home/opencode/.local/share/opencode/bin/opencode \
     && /home/opencode/.local/share/opencode/bin/opencode --version
@@ -540,14 +540,6 @@ RUN OPENCODE_COMMIT="34db1c9b23441b3b3a125c107149f346f9fdb96e" \
 # Add opencode to PATH
 ENV PATH="/home/opencode/.local/share/opencode/bin:${PATH}"
 
-# Copy UI assets to standard web root (requires root)
-USER root
-RUN mkdir -p /var/www/opencode \
-    && cp -R /tmp/opencode-repo/packages/app/dist/. /var/www/opencode/ \
-    && chown -R root:root /var/www/opencode \
-    && chmod 755 /var/www /var/www/opencode \
-    && chmod -R a+rX /var/www/opencode
-
 # -----------------------------------------------------------------------------
 # opencode-broker Installation
 # -----------------------------------------------------------------------------
@@ -568,49 +560,6 @@ RUN ls -la /usr/local/bin/opencode-broker \
     && test -x /usr/local/bin/opencode-broker \
     && echo "Broker installed"
 
-# -----------------------------------------------------------------------------
-# Nginx Reverse Proxy for UI + API
-# -----------------------------------------------------------------------------
-# Serve the built UI from /var/www/opencode and proxy all 3000 traffic to backend.
-RUN rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf 2>/dev/null || true \
-    && printf '%s\n' \
-    'server {' \
-    '  listen 3000;' \
-    '  server_name _;' \
-    '' \
-    '  location / {' \
-    '    proxy_pass http://127.0.0.1:3001;' \
-    '    proxy_http_version 1.1;' \
-    '    proxy_set_header Upgrade $http_upgrade;' \
-    '    proxy_set_header Connection "upgrade";' \
-    '    proxy_set_header Host $host;' \
-    '    proxy_set_header X-Real-IP $remote_addr;' \
-    '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
-    '    proxy_set_header X-Forwarded-Proto $scheme;' \
-    '  }' \
-    '}' \
-    '' \
-    'server {' \
-    '  listen 3002;' \
-    '  server_name _;' \
-    '' \
-    '  root /var/www/opencode;' \
-    '  index index.html;' \
-    '' \
-    '  location /assets/ {' \
-    '    try_files $uri =404;' \
-    '  }' \
-    '' \
-    '  location ~* \.(?:js|css|png|jpg|jpeg|gif|svg|ico|webp|woff2?|ttf|map)$ {' \
-    '    try_files $uri =404;' \
-    '  }' \
-    '' \
-    '  location / {' \
-    '    try_files $uri $uri/ /index.html;' \
-    '  }' \
-    '}' \
-    > /etc/nginx/conf.d/opencode.conf
-
 # -----------------------------------------------------------------------------
 # PAM Configuration
 # -----------------------------------------------------------------------------
@@ -690,7 +639,7 @@ RUN mkdir -p /home/opencode/.npm \
 # -----------------------------------------------------------------------------
 # opencode systemd Service (2026-01-22)
 # -----------------------------------------------------------------------------
-# Create opencode as a systemd service for Cockpit integration (backend only)
+# Create opencode as a systemd service for Cockpit integration
 # NOTE: Requires root privileges to write to /etc/systemd/system/
 USER root
 RUN printf '%s\n' \
@@ -702,7 +651,7 @@ RUN printf '%s\n' \
     'Type=simple' \
     'User=opencode' \
     'WorkingDirectory=/home/opencode/workspace' \
-    'ExecStart=/home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0' \
+    'ExecStart=/home/opencode/.local/share/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
     'Restart=always' \
     'RestartSec=5' \
     'Environment=PATH=/home/opencode/.local/share/opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
@@ -715,44 +664,15 @@ RUN printf '%s\n' \
 RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
     && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
 
-# Nginx service for serving UI + proxying API
-RUN printf '%s\n' \
-    '[Unit]' \
-    'Description=Nginx reverse proxy for opencode UI' \
-    'After=network.target opencode.service' \
-    '' \
-    '[Service]' \
-    'Type=simple' \
-    'ExecStart=/usr/sbin/nginx -g "daemon off;"' \
-    'ExecReload=/usr/sbin/nginx -s reload' \
-    'Restart=always' \
-    'RestartSec=5' \
-    '' \
-    '[Install]' \
-    'WantedBy=multi-user.target' \
-    > /etc/systemd/system/opencode-nginx.service
-
-# Enable nginx service
-RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
-    && ln -sf /etc/systemd/system/opencode-nginx.service /etc/systemd/system/multi-user.target.wants/opencode-nginx.service
-
-# Prevent the distro nginx service from also starting (port 3000 conflict)
-RUN rm -f /etc/systemd/system/multi-user.target.wants/nginx.service \
-    && ln -sf /dev/null /etc/systemd/system/nginx.service
-
 # -----------------------------------------------------------------------------
 # opencode Configuration
 # -----------------------------------------------------------------------------
-# Create opencode.jsonc config file with PAM authentication enabled and UI URL
+# Create opencode.jsonc config file with PAM authentication enabled
 RUN mkdir -p /home/opencode/.config/opencode \
     && printf '%s\n' \
     '{' \
-    '  // Container UI served via nginx on 3002' \
     '  "auth": {' \
     '    "enabled": true' \
-    '  },' \
-    '  "server": {' \
-    '    "uiUrl": "http://localhost:3002"' \
     '  }' \
     '}' \
     > /home/opencode/.config/opencode/opencode.jsonc \
@@ -776,9 +696,11 @@ RUN printf '%s\n' \
     'if [ "${USE_SYSTEMD}" = "1" ]; then' \
     '    exec /sbin/init' \
     'else' \
+    '    # Ensure broker socket directory exists' \
+    '    install -d -m 0755 /run/opencode' \
+    '    /usr/local/bin/opencode-broker &' \
     '    # Use runuser to switch to opencode user without password prompt' \
-    '    runuser -u opencode -- /home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0 &' \
-    '    exec /usr/sbin/nginx -g "daemon off;"' \
+    '    exec runuser -u opencode -- sh -lc "cd /home/opencode/workspace && /home/opencode/.local/share/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0"' \
     'fi' \
     > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
 
@@ -812,8 +734,8 @@ RUN echo "${OPENCODE_CLOUD_VERSION}" > /etc/opencode-cloud-version
 # -----------------------------------------------------------------------------
 WORKDIR /home/opencode/workspace
 
-# Expose opencode ports (3000/3001/3002) and Cockpit (9090)
-EXPOSE 3000 3001 3002 9090
+# Expose opencode web (3000) and Cockpit (9090)
+EXPOSE 3000 9090
 
 # Hybrid init: entrypoint script chooses tini or systemd based on USE_SYSTEMD env
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

package/src/docker/README.dockerhub.md

@@ -28,10 +28,18 @@ docker pull ghcr.io/prizz/opencode-cloud-sandbox:latest
 Run the container:
 
 ```
-docker run --rm -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -p 9090:9090 ghcr.io/prizz/opencode-cloud-sandbox:latest
+docker run --rm -it -p 3000:3000 -p 9090:9090 ghcr.io/prizz/opencode-cloud-sandbox:latest
 ```
 
-The opencode web UI is available at `http://localhost:3000`. The backend is reachable at `http://localhost:3001`, and the static UI is served at `http://localhost:3002`. Cockpit runs on `http://localhost:9090`.
+The opencode web UI is available at `http://localhost:3000`. Cockpit runs on `http://localhost:9090`.
+
+## opencode build and serve flow
+
+The Docker image builds opencode directly from the fork and runs the web server without nginx:
+
+1. `cd packages/opencode`
+2. `bun run build` to generate `packages/opencode/dist`
+3. Run the server with `./bin/opencode web`
 
 ## Source
 

package/src/docker/health.rs

@@ -53,12 +53,21 @@ pub enum HealthError {
     Timeout,
 }
 
+fn format_host(bind_addr: &str) -> String {
+    if bind_addr.contains(':') && !bind_addr.starts_with('[') {
+        format!("[{bind_addr}]")
+    } else {
+        bind_addr.to_string()
+    }
+}
+
 /// Check health by querying OpenCode's /global/health endpoint
 ///
 /// Returns the health response on success (HTTP 200).
 /// Returns an error for connection issues, timeouts, or non-200 responses.
-pub async fn check_health(port: u16) -> Result<HealthResponse, HealthError> {
-    let url = format!("http://127.0.0.1:{port}/global/health");
+pub async fn check_health(bind_addr: &str, port: u16) -> Result<HealthResponse, HealthError> {
+    let host = format_host(bind_addr);
+    let url = format!("http://{host}:{port}/global/health");
 
     let client = reqwest::Client::builder()
         .timeout(Duration::from_secs(5))
@@ -95,10 +104,11 @@ pub async fn check_health(port: u16) -> Result<HealthResponse, HealthError> {
 /// If container stats fail, still returns response with container_state = "unknown".
 pub async fn check_health_extended(
     client: &DockerClient,
+    bind_addr: &str,
     port: u16,
 ) -> Result<ExtendedHealthResponse, HealthError> {
     // Get basic health info
-    let health = check_health(port).await?;
+    let health = check_health(bind_addr, port).await?;
 
     // Get container stats
     let container_name = super::CONTAINER_NAME;
@@ -155,11 +165,21 @@ mod tests {
     #[tokio::test]
     async fn test_health_check_connection_refused() {
         // Port 1 should always refuse connection
-        let result = check_health(1).await;
+        let result = check_health("127.0.0.1", 1).await;
         assert!(result.is_err());
         match result.unwrap_err() {
             HealthError::ConnectionRefused => {}
             other => panic!("Expected ConnectionRefused, got: {other:?}"),
         }
     }
+
+    #[test]
+    fn format_host_wraps_ipv6() {
+        assert_eq!(format_host("::1"), "[::1]");
+    }
+
+    #[test]
+    fn format_host_preserves_ipv4() {
+        assert_eq!(format_host("127.0.0.1"), "127.0.0.1");
+    }
 }

package/src/docker/image.rs

@@ -177,6 +177,8 @@ struct BuildLogState {
     error_log_buffer_size: usize,
     last_buildkit_vertex: Option<String>,
     last_buildkit_vertex_id: Option<String>,
+    export_vertex_id: Option<String>,
+    export_vertex_name: Option<String>,
     buildkit_logs_by_vertex_id: HashMap<String, String>,
     vertex_name_by_vertex_id: HashMap<String, String>,
 }
@@ -199,6 +201,8 @@ impl BuildLogState {
             error_log_buffer_size,
             last_buildkit_vertex: None,
             last_buildkit_vertex_id: None,
+            export_vertex_id: None,
+            export_vertex_name: None,
             buildkit_logs_by_vertex_id: HashMap::new(),
             vertex_name_by_vertex_id: HashMap::new(),
         }
@@ -255,31 +259,45 @@ fn handle_buildkit_status(
 ) {
     let latest_logs = append_buildkit_logs(&mut state.buildkit_logs_by_vertex_id, status);
     update_buildkit_vertex_names(&mut state.vertex_name_by_vertex_id, status);
-    let (vertex_id, vertex_name) =
-        match select_latest_buildkit_vertex(status, &state.vertex_name_by_vertex_id) {
-            Some((vertex_id, vertex_name)) => (vertex_id, vertex_name),
-            None => {
-                let Some(log_entry) = latest_logs.last() else {
-                    return;
-                };
-                let name = state
-                    .vertex_name_by_vertex_id
-                    .get(&log_entry.vertex_id)
-                    .cloned()
-                    .or_else(|| state.last_buildkit_vertex.clone())
-                    .unwrap_or_else(|| format_vertex_fallback_label(&log_entry.vertex_id));
-                (log_entry.vertex_id.clone(), name)
-            }
-        };
+    update_export_vertex_from_logs(
+        &latest_logs,
+        &state.vertex_name_by_vertex_id,
+        &mut state.export_vertex_id,
+        &mut state.export_vertex_name,
+    );
+    let (vertex_id, vertex_name) = match select_latest_buildkit_vertex(
+        status,
+        &state.vertex_name_by_vertex_id,
+        state.export_vertex_id.as_deref(),
+        state.export_vertex_name.as_deref(),
+    ) {
+        Some((vertex_id, vertex_name)) => (vertex_id, vertex_name),
+        None => {
+            let Some(log_entry) = latest_logs.last() else {
+                return;
+            };
+            let name = state
+                .vertex_name_by_vertex_id
+                .get(&log_entry.vertex_id)
+                .cloned()
+                .or_else(|| state.last_buildkit_vertex.clone())
+                .unwrap_or_else(|| format_vertex_fallback_label(&log_entry.vertex_id));
+            (log_entry.vertex_id.clone(), name)
+        }
+    };
     record_buildkit_logs(state, &latest_logs, &vertex_id, &vertex_name);
-    state.last_buildkit_vertex_id = Some(vertex_id);
+    state.last_buildkit_vertex_id = Some(vertex_id.clone());
     if state.last_buildkit_vertex.as_deref() != Some(&vertex_name) {
         state.last_buildkit_vertex = Some(vertex_name.clone());
     }
 
     let message = if progress.is_plain_output() {
         vertex_name
-    } else if let Some(log_entry) = latest_logs.last() {
+    } else if let Some(log_entry) = latest_logs
+        .iter()
+        .rev()
+        .find(|entry| entry.vertex_id == vertex_id)
+    {
         format!("{vertex_name} · {}", log_entry.message)
     } else {
         vertex_name
@@ -360,7 +378,17 @@ fn update_buildkit_vertex_names(
 fn select_latest_buildkit_vertex(
     status: &BuildkitStatusResponse,
     vertex_name_by_vertex_id: &HashMap<String, String>,
+    export_vertex_id: Option<&str>,
+    export_vertex_name: Option<&str>,
 ) -> Option<(String, String)> {
+    if let Some(export_vertex_id) = export_vertex_id {
+        let name = export_vertex_name
+            .map(str::to_string)
+            .or_else(|| vertex_name_by_vertex_id.get(export_vertex_id).cloned())
+            .unwrap_or_else(|| format_vertex_fallback_label(export_vertex_id));
+        return Some((export_vertex_id.to_string(), name));
+    }
+
     let mut best_runtime: Option<(u32, String, String)> = None;
     let mut fallback: Option<(String, String)> = None;
 
@@ -423,6 +451,24 @@ fn format_vertex_fallback_label(vertex_id: &str) -> String {
     format!("vertex {short}")
 }
 
+fn update_export_vertex_from_logs(
+    latest_logs: &[BuildkitLogEntry],
+    vertex_name_by_vertex_id: &HashMap<String, String>,
+    export_vertex_id: &mut Option<String>,
+    export_vertex_name: &mut Option<String>,
+) {
+    if let Some(entry) = latest_logs
+        .iter()
+        .rev()
+        .find(|log| log.message.trim_start().starts_with("exporting to image"))
+    {
+        *export_vertex_id = Some(entry.vertex_id.clone());
+        if let Some(name) = vertex_name_by_vertex_id.get(&entry.vertex_id) {
+            *export_vertex_name = Some(name.clone());
+        }
+    }
+}
+
 fn record_buildkit_logs(
     state: &mut BuildLogState,
     latest_logs: &[BuildkitLogEntry],