portacode 1.4.12.dev1__py3-none-any.whl → 1.4.15.dev10__py3-none-any.whl

portacode/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '1.4.12.dev1'
-__version_tuple__ = version_tuple = (1, 4, 12, 'dev1')
+__version__ = version = '1.4.15.dev10'
+__version_tuple__ = version_tuple = (1, 4, 15, 'dev10')
 
 __commit_id__ = commit_id = None

portacode/connection/handlers/WEBSOCKET_PROTOCOL.md

@@ -27,6 +27,10 @@ The Portacode server acts as a **routing middleman** between client sessions and
 
 - **`source_client_session`** (Server → Device): Server **adds this** when forwarding client commands to devices (so device knows which client sent the command and can target responses back). Clients never include this field.
 
+### Proxying infrastructure updates
+
+Portacode infrastructure devices (like the proxmox host) can send events on behalf of the LXC Devices they manage. Such messages include the optional `on_behalf_of_device` field and the server silently replaces `device_id` with that child device before routing. The gateway enforces that the sender is the child’s `proxmox_parent` (via `Device.proxmox_parent`) so only the infrastructure owner can impersonate a child device. Messages that fail this check are dropped.
+
 This document describes the complete protocol for communicating with devices through the server, guiding app developers on how to get their client sessions to communicate with devices.
 
 ## Table of Contents
@@ -361,6 +365,9 @@ Creates a Portacode-managed LXC container, starts it, and bootstraps the Portaco
 *   `username` (string, optional): OS user to provision (defaults to `svcuser`).
 *   `password` (string, optional): Password for the user (used only during provisioning).
 *   `ssh_key` (string, optional): SSH public key to add to the user.
+*   `device_id` (string, required): ID of the dashboard Device record that represents the container. The handler persists this value in the host metadata file so related events can always be correlated back to that Device.
+*   `device_public_key` (string, optional): PEM-encoded Portacode public key. When supplied together with `device_private_key` the handler injects the keypair, records the device metadata, and runs `portacode service install` automatically.
+*   `device_private_key` (string, optional): PEM-encoded private key that pairs with `device_public_key`. Both key fields must be present for the automatic service-install mode.
 
 **Responses:**
 
@@ -418,6 +425,9 @@ Emitted after a successful `create_proxmox_container` action. Contains the new c
 *   `public_key` (string): Portacode public auth key created inside the new container.
 *   `container` (object): Metadata such as `vmid`, `hostname`, `template`, `storage`, `disk_gib`, `ram_mib`, and `cpus`.
 *   `setup_steps` (array[object]): Detailed bootstrap step results (name, stdout/stderr, elapsed time, and status).
+*   `device_id` (string): Mirrors the dashboard Device ID supplied with `create_proxmox_container`. The handler records this value in the container metadata file so subsequent events can reference the same Device.
+*   `on_behalf_of_device` (string): Same value as `device_id` when the container host is reporting progress for the child device; only proxmox parents may include this field.
+*   `service_installed` (boolean): True when the handler already ran `portacode service install` (with a provided keypair); otherwise it remains False and the dashboard can call `start_portacode_service`.
 
 ### `proxmox_container_progress`
 
@@ -434,6 +444,7 @@ Sent intermittently while `create_proxmox_container` is executing so callers can
 *   `message` (string): Short description of what is happening or why a failure occurred.
 *   `details` (object, optional): Contains `attempt` (if retries were needed) and `error_summary` when a step fails.
 *   `request_id` (string, optional): Mirrors the request ID from the incoming `create_proxmox_container` payload when available.
+ *   `on_behalf_of_device` (string, optional): When present the proxmox device is reporting progress for the referenced dashboard device; the gateway verifies the proxmox node is the child’s `proxmox_parent` before routing the event.
 
 ### `start_portacode_service`
 
@@ -450,6 +461,7 @@ Runs `sudo portacode service install` inside the container after the dashboard h
 *   Emits additional [`proxmox_container_progress`](#proxmox_container_progress-event) events to report the authentication and service-install steps.
 *   On success, emits a [`proxmox_service_started`](#proxmox_service_started-event).
 *   On failure, emits a generic [`error`](#error) event.
+*   When `create_proxmox_container` already provided a dashboard-generated keypair, the handler may have installed the service already, so this call is optional unless you need to re-run the install.
 
 ### `proxmox_service_started`
 
@@ -1171,6 +1183,8 @@ Emitted after a successful `create_proxmox_container` action to report the newly
 *   `public_key` (string): Portacode public auth key discovered inside the container.
 *   `container` (object): Metadata such as `vmid`, `hostname`, `template`, `storage`, `disk_gib`, `ram_mib`, and `cpus`.
 *   `setup_steps` (array[object]): Detailed bootstrap step reports including stdout/stderr, elapsed time, and pass/fail status.
+*   `device_id` (string): Mirrors the device ID supplied with `create_proxmox_container` and persisted inside the host metadata file for this CT.
+*   `on_behalf_of_device` (string): Same value as `device_id` when the container host is reporting progress for the child device.
 
 ### `proxmox_container_progress`
 
@@ -1187,6 +1201,7 @@ Sent continuously while `create_proxmox_container` runs so dashboards can show a
 *   `message` (string): Short human-readable description of the action or failure.
 *   `details` (object, optional): Contains `attempt` (when retries are used) and `error_summary` on failure.
 *   `request_id` (string, optional): Mirrors the `create_proxmox_container` request when provided.
+*   `on_behalf_of_device` (string, optional): Mirrors the child device ID when a proxmox host reports progress for that child; only proxmox parents can supply this field.
 
 ### `proxmox_container_action`
 

portacode/connection/handlers/proxmox_infra.py

@@ -5,17 +5,20 @@ from __future__ import annotations
 import asyncio
 import json
 import logging
+import math
 import os
 import secrets
+import shlex
 import shutil
 import stat
 import subprocess
 import sys
+import tempfile
 import time
 import threading
 from datetime import datetime
 from pathlib import Path
-from typing import Any, Callable, Dict, Iterable, List, Optional, Tuple
+from typing import Any, Callable, Dict, Iterable, List, Optional, Sequence, Tuple
 
 import platformdirs
 
@@ -44,6 +47,7 @@ UNIT_DIR = Path("/etc/systemd/system")
 _MANAGED_CONTAINERS_CACHE_TTL_S = 30.0
 _MANAGED_CONTAINERS_CACHE: Dict[str, Any] = {"timestamp": 0.0, "summary": None}
 _MANAGED_CONTAINERS_CACHE_LOCK = threading.Lock()
+_STARTUP_TEMPLATES_REFRESHED = False
 
 ProgressCallback = Callable[[int, int, Dict[str, Any], str, Optional[Dict[str, Any]]], None]
 
@@ -60,6 +64,7 @@ def _emit_progress_event(
     phase: str,
     request_id: Optional[str],
     details: Optional[Dict[str, Any]] = None,
+    on_behalf_of_device: Optional[str] = None,
 ) -> None:
     loop = handler.context.get("event_loop")
     if not loop or loop.is_closed():
@@ -84,6 +89,8 @@ def _emit_progress_event(
         payload["request_id"] = request_id
     if details:
         payload["details"] = details
+    if on_behalf_of_device:
+        payload["on_behalf_of_device"] = str(on_behalf_of_device)
 
     future = asyncio.run_coroutine_threadsafe(handler.send_response(payload), loop)
     future.add_done_callback(
@@ -173,6 +180,41 @@ def _list_templates(client: Any, node: str, storages: Iterable[Dict[str, Any]])
     return templates
 
 
+def _build_proxmox_client_from_config(config: Dict[str, Any]):
+    user = config.get("user")
+    token_name = config.get("token_name")
+    token_value = config.get("token_value")
+    if not user or not token_name or not token_value:
+        raise RuntimeError("Proxmox API credentials are missing")
+    ProxmoxAPI = _ensure_proxmoxer()
+    return ProxmoxAPI(
+        config.get("host", DEFAULT_HOST),
+        user=user,
+        token_name=token_name,
+        token_value=token_value,
+        verify_ssl=config.get("verify_ssl", False),
+        timeout=30,
+    )
+
+
+def _ensure_templates_refreshed_on_startup(config: Dict[str, Any]) -> None:
+    global _STARTUP_TEMPLATES_REFRESHED
+    if _STARTUP_TEMPLATES_REFRESHED or not config or not config.get("token_value"):
+        _STARTUP_TEMPLATES_REFRESHED = True
+        return
+    try:
+        client = _build_proxmox_client_from_config(config)
+        node = config.get("node") or _pick_node(client)
+        storages = client.nodes(node).storage.get()
+        templates = _list_templates(client, node, storages)
+        if templates:
+            config["templates"] = templates
+    except Exception as exc:
+        logger.warning("Unable to refresh Proxmox templates on startup: %s", exc)
+    finally:
+        _STARTUP_TEMPLATES_REFRESHED = True
+
+
 def _pick_storage(storages: Iterable[Dict[str, Any]]) -> str:
     candidates = [s for s in storages if "rootdir" in s.get("content", "") and s.get("avail", 0) > 0]
     if not candidates:
@@ -261,7 +303,10 @@ def _ensure_bridge(bridge: str = DEFAULT_BRIDGE) -> Dict[str, Any]:
         apt = shutil.which("apt-get")
         if not apt:
             raise RuntimeError("dnsmasq is missing and apt-get unavailable to install it")
-        _call_subprocess([apt, "update"], check=True)
+        update = _call_subprocess([apt, "update"], check=False)
+        if update.returncode not in (0, 100):
+            msg = update.stderr or update.stdout or f"exit status {update.returncode}"
+            raise RuntimeError(f"apt-get update failed: {msg}")
         _call_subprocess([apt, "install", "-y", "dnsmasq"], check=True)
     _write_bridge_config(bridge)
     _ensure_sysctl()
@@ -428,7 +473,12 @@ def _friendly_step_label(step_name: str) -> str:
     return normalized.capitalize()
 
 
-def _build_bootstrap_steps(user: str, password: str, ssh_key: str) -> List[Dict[str, Any]]:
+def _build_bootstrap_steps(
+    user: str,
+    password: str,
+    ssh_key: str,
+    include_portacode_connect: bool = True,
+) -> List[Dict[str, Any]]:
     steps = [
         {
             "name": "apt_update",
@@ -465,11 +515,14 @@ def _build_bootstrap_steps(user: str, password: str, ssh_key: str) -> List[Dict[
             "cmd": f"install -d -m 700 /home/{user}/.ssh && echo '{ssh_key}' >> /home/{user}/.ssh/authorized_keys && chown -R {user}:{user} /home/{user}/.ssh",
             "retries": 0,
         })
-    steps.extend([
-        {"name": "pip_upgrade", "cmd": "python3 -m pip install --upgrade pip", "retries": 0},
-        {"name": "install_portacode", "cmd": "python3 -m pip install --upgrade portacode", "retries": 0},
-        {"name": "portacode_connect", "type": "portacode_connect", "timeout_s": 30},
-    ])
+    steps.extend(
+        [
+            {"name": "pip_upgrade", "cmd": "python3 -m pip install --upgrade pip", "retries": 0},
+            {"name": "install_portacode", "cmd": "python3 -m pip install --upgrade portacode", "retries": 0},
+        ]
+    )
+    if include_portacode_connect:
+        steps.append({"name": "portacode_connect", "type": "portacode_connect", "timeout_s": 30})
     return steps
 
 
@@ -590,7 +643,7 @@ def _build_container_payload(message: Dict[str, Any], config: Dict[str, Any]) ->
     hostname = (message.get("hostname") or "").strip()
     disk_gib = int(max(round(_validate_positive_number(message.get("disk_gib") or message.get("disk"), 3)), 1))
     ram_mib = int(max(round(_validate_positive_number(message.get("ram_mib") or message.get("ram"), 2048)), 1))
-    cpus = _validate_positive_number(message.get("cpus"), 1)
+    cpus = _validate_positive_number(message.get("cpus"), 0.2)
     storage = message.get("storage") or config.get("default_storage") or ""
     if not storage:
         raise ValueError("Storage pool could not be determined.")
@@ -679,6 +732,74 @@ def _run_pct_check(vmid: int, cmd: str) -> Dict[str, Any]:
     return res
 
 
+def _run_pct_exec(vmid: int, command: Sequence[str]) -> subprocess.CompletedProcess[str]:
+    return _call_subprocess(["pct", "exec", str(vmid), "--", *command])
+
+
+def _run_pct_exec_check(vmid: int, command: Sequence[str]) -> subprocess.CompletedProcess[str]:
+    res = _run_pct_exec(vmid, command)
+    if res.returncode != 0:
+        raise RuntimeError(res.stderr or res.stdout or f"pct exec {' '.join(command)} failed")
+    return res
+
+
+def _run_pct_push(vmid: int, src: str, dest: str) -> subprocess.CompletedProcess[str]:
+    return _call_subprocess(["pct", "push", str(vmid), src, dest])
+
+
+def _push_bytes_to_container(
+    vmid: int, user: str, path: str, data: bytes, mode: int = 0o600
+) -> None:
+    logger.debug("Preparing to push %d bytes to container vmid=%s path=%s for user=%s", len(data), vmid, path, user)
+    tmp_path: Optional[str] = None
+    try:
+        parent = Path(path).parent
+        parent_str = parent.as_posix()
+        if parent_str not in {"", ".", "/"}:
+            _run_pct_exec_check(vmid, ["mkdir", "-p", parent_str])
+            _run_pct_exec_check(vmid, ["chown", "-R", f"{user}:{user}", parent_str])
+
+        with tempfile.NamedTemporaryFile(delete=False) as tmp:
+            tmp.write(data)
+            tmp.flush()
+            os.fsync(tmp.fileno())
+            tmp_path = tmp.name
+
+        push_res = _run_pct_push(vmid, tmp_path, path)
+        if push_res.returncode != 0:
+            raise RuntimeError(push_res.stderr or push_res.stdout or f"pct push returned {push_res.returncode}")
+
+        _run_pct_exec_check(vmid, ["chown", f"{user}:{user}", path])
+        _run_pct_exec_check(vmid, ["chmod", format(mode, "o"), path])
+        logger.debug("Successfully pushed %d bytes to vmid=%s path=%s", len(data), vmid, path)
+    except Exception as exc:
+        logger.error("Failed to write to container vmid=%s path=%s for user=%s: %s", vmid, path, user, exc)
+        raise
+    finally:
+        if tmp_path:
+            try:
+                os.remove(tmp_path)
+            except OSError as cleanup_exc:
+                logger.warning("Failed to remove temporary file %s: %s", tmp_path, cleanup_exc)
+
+
+def _resolve_portacode_key_dir(vmid: int, user: str) -> str:
+    data_dir_cmd = f"su - {user} -c 'echo -n ${{XDG_DATA_HOME:-$HOME/.local/share}}'"
+    data_home = _run_pct_check(vmid, data_dir_cmd)["stdout"].strip()
+    portacode_dir = f"{data_home}/portacode"
+    _run_pct_exec_check(vmid, ["mkdir", "-p", portacode_dir])
+    _run_pct_exec_check(vmid, ["chown", "-R", f"{user}:{user}", portacode_dir])
+    return f"{portacode_dir}/keys"
+
+
+def _deploy_device_keypair(vmid: int, user: str, private_key: str, public_key: str) -> None:
+    key_dir = _resolve_portacode_key_dir(vmid, user)
+    priv_path = f"{key_dir}/id_portacode"
+    pub_path = f"{key_dir}/id_portacode.pub"
+    _push_bytes_to_container(vmid, user, priv_path, private_key.encode(), mode=0o600)
+    _push_bytes_to_container(vmid, user, pub_path, public_key.encode(), mode=0o644)
+
+
 def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -> Dict[str, Any]:
     cmd = ["pct", "exec", str(vmid), "--", "bash", "-lc", f"su - {user} -c 'portacode connect'"]
     proc = subprocess.Popen(cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -702,15 +823,22 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
 
     last_pub = last_priv = None
     stable = 0
+    history: List[Dict[str, Any]] = []
+
+    process_exited = False
+    exit_out = exit_err = ""
     while time.time() - start < timeout_s:
         if proc.poll() is not None:
-            out, err = proc.communicate(timeout=1)
-            return {
-                "ok": False,
-                "error": "portacode connect exited before keys were created",
-                "stdout": (out or "").strip(),
-                "stderr": (err or "").strip(),
-            }
+            process_exited = True
+            exit_out, exit_err = proc.communicate(timeout=1)
+            history.append(
+                {
+                    "timestamp_s": round(time.time() - start, 2),
+                    "status": "process_exited",
+                    "returncode": proc.returncode,
+                }
+            )
+            break
         pub_size = file_size(pub_path)
         priv_size = file_size(priv_path)
         if pub_size and priv_size:
@@ -720,21 +848,60 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
                 stable = 0
             last_pub, last_priv = pub_size, priv_size
             if stable >= 1:
+                history.append(
+                    {
+                        "timestamp_s": round(time.time() - start, 2),
+                        "pub_size": pub_size,
+                        "priv_size": priv_size,
+                        "stable": stable,
+                    }
+                )
                 break
+        history.append(
+            {
+                "timestamp_s": round(time.time() - start, 2),
+                "pub_size": pub_size,
+                "priv_size": priv_size,
+                "stable": stable,
+            }
+        )
         time.sleep(1)
 
-    if stable < 1:
+    final_pub = file_size(pub_path)
+    final_priv = file_size(priv_path)
+    if final_pub and final_priv:
+        key_res = _run_pct(vmid, f"su - {user} -c 'cat {pub_path}'")
+        if not process_exited:
+            proc.terminate()
+            try:
+                proc.wait(timeout=3)
+            except subprocess.TimeoutExpired:
+                proc.kill()
+        return {
+            "ok": True,
+            "public_key": key_res["stdout"].strip(),
+            "history": history,
+        }
+
+    if not process_exited:
         proc.terminate()
         try:
             proc.wait(timeout=3)
         except subprocess.TimeoutExpired:
             proc.kill()
-        out, err = proc.communicate(timeout=1)
+        exit_out, exit_err = proc.communicate(timeout=1)
+        history.append(
+            {
+                "timestamp_s": round(time.time() - start, 2),
+                "status": "timeout_waiting_for_keys",
+            }
+        )
         return {
             "ok": False,
             "error": "timed out waiting for portacode key files",
-            "stdout": (out or "").strip(),
-            "stderr": (err or "").strip(),
+            "stdout": (exit_out or "").strip(),
+            "stderr": (exit_err or "").strip(),
+            "history": history,
         }
 
     proc.terminate()
@@ -747,6 +914,7 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
     return {
         "ok": True,
         "public_key": key_res["stdout"].strip(),
+        "history": history,
     }
 
 
@@ -833,6 +1001,7 @@ def _bootstrap_portacode(
     progress_callback: Optional[ProgressCallback] = None,
     start_index: int = 1,
     total_steps: Optional[int] = None,
+    default_public_key: Optional[str] = None,
 ) -> Tuple[str, List[Dict[str, Any]]]:
     actual_steps = steps if steps is not None else _build_bootstrap_steps(user, password, ssh_key)
     results, ok = _run_setup_steps(
@@ -844,9 +1013,33 @@ def _bootstrap_portacode(
         total_steps=total_steps,
     )
     if not ok:
+        details = results[-1] if results else {}
+        summary = details.get("error_summary") or details.get("stderr") or details.get("stdout") or details.get("name")
+        history = details.get("history")
+        history_snippet = ""
+        if isinstance(history, list) and history:
+            history_snippet = f" history={history[-3:]}"
+        command = details.get("cmd")
+        command_text = ""
+        if command:
+            if isinstance(command, (list, tuple)):
+                command_text = shlex.join(str(entry) for entry in command)
+            else:
+                command_text = str(command)
+        command_suffix = f" command={command_text}" if command_text else ""
+        if summary:
+            logger.warning(
+                "Portacode bootstrap failure summary=%s%s%s",
+                summary,
+                f" history_len={len(history)}" if history else "",
+                f" command={command_text}" if command_text else "",
+            )
+            raise RuntimeError(
+                f"Portacode bootstrap steps failed: {summary}{history_snippet}{command_suffix}"
+            )
         raise RuntimeError("Portacode bootstrap steps failed.")
     key_step = next((entry for entry in results if entry.get("name") == "portacode_connect"), None)
-    public_key = key_step.get("public_key") if key_step else None
+    public_key = key_step.get("public_key") if key_step else default_public_key
     if not public_key:
         raise RuntimeError("Portacode connect did not return a public key.")
     return public_key, results
@@ -861,6 +1054,7 @@ def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
     }
     if not config:
         return {"configured": False, "network": base_network}
+    _ensure_templates_refreshed_on_startup(config)
     return {
         "configured": True,
         "host": config.get("host"),
@@ -895,17 +1089,13 @@ def configure_infrastructure(token_identifier: str, token_value: str, verify_ssl
         network = _ensure_bridge()
         # Wait for network convergence before validating connectivity
         time.sleep(2)
-        if _verify_connectivity():
-            network["health"] = "healthy"
-        else:
-            network = {"applied": False, "bridge": DEFAULT_BRIDGE, "message": "Connectivity check failed; bridge reverted"}
-            _revert_bridge()
-    except PermissionError as exc:
-        network = {"applied": False, "message": str(exc), "bridge": DEFAULT_BRIDGE}
-        logger.warning("Bridge setup skipped: %s", exc)
-    except Exception as exc:  # pragma: no cover - best effort
-        network = {"applied": False, "message": str(exc), "bridge": DEFAULT_BRIDGE}
-        logger.warning("Bridge setup failed: %s", exc)
+        if not _verify_connectivity():
+            raise RuntimeError("Connectivity check failed; bridge reverted")
+        network["health"] = "healthy"
+    except Exception as exc:
+        logger.warning("Bridge setup failed; reverting previous changes: %s", exc)
+        _revert_bridge()
+        raise
     config = {
         "host": DEFAULT_HOST,
         "node": node,
@@ -968,8 +1158,8 @@ def _instantiate_container(proxmox: Any, node: str, payload: Dict[str, Any]) ->
             rootfs=rootfs,
             memory=int(payload["ram_mib"]),
             swap=int(payload.get("swap_mb", 0)),
-            cores=int(payload.get("cpus", 1)),
-            cpuunits=int(payload.get("cpuunits", 256)),
+            cores=max(int(payload.get("cores", 1)), 1),
+            cpulimit=float(payload.get("cpulimit", payload.get("cpus", 1))),
             net0=payload["net0"],
             unprivileged=int(payload.get("unprivileged", 1)),
             description=payload.get("description", MANAGED_MARKER),
@@ -992,8 +1182,20 @@ class CreateProxmoxContainerHandler(SyncHandler):
     def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
         logger.info("create_proxmox_container command received")
         request_id = message.get("request_id")
+        raw_device_id = message.get("device_id")
+        device_id = str(raw_device_id or "").strip()
+        if not device_id:
+            raise ValueError("device_id is required to create a container")
+        device_public_key = (message.get("device_public_key") or "").strip()
+        device_private_key = (message.get("device_private_key") or "").strip()
+        has_device_keypair = bool(device_public_key and device_private_key)
         bootstrap_user, bootstrap_password, bootstrap_ssh_key = _get_provisioning_user_info(message)
-        bootstrap_steps = _build_bootstrap_steps(bootstrap_user, bootstrap_password, bootstrap_ssh_key)
+        bootstrap_steps = _build_bootstrap_steps(
+            bootstrap_user,
+            bootstrap_password,
+            bootstrap_ssh_key,
+            include_portacode_connect=not has_device_keypair,
+        )
         total_steps = 3 + len(bootstrap_steps) + 2
         current_step_index = 1
 
@@ -1015,6 +1217,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message=start_message,
                 phase="lifecycle",
                 request_id=request_id,
+                on_behalf_of_device=device_id,
             )
             try:
                 result = action()
@@ -1030,6 +1233,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
                     phase="lifecycle",
                     request_id=request_id,
                     details={"error": str(exc)},
+                    on_behalf_of_device=device_id,
                 )
                 raise
             _emit_progress_event(
@@ -1042,6 +1246,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 message=success_message,
                 phase="lifecycle",
                 request_id=request_id,
+                on_behalf_of_device=device_id,
             )
             current_step_index += 1
             return result
@@ -1068,7 +1273,8 @@ class CreateProxmoxContainerHandler(SyncHandler):
             proxmox = _connect_proxmox(config)
             node = config.get("node") or DEFAULT_NODE_NAME
             payload = _build_container_payload(message, config)
-            payload["cpuunits"] = max(int(payload["cpus"] * 1024), 10)
+            payload["cpulimit"] = float(payload["cpus"])
+            payload["cores"] = int(max(math.ceil(payload["cpus"]), 1))
             payload["memory"] = int(payload["ram_mib"])
             payload["node"] = node
             logger.debug(
@@ -1083,6 +1289,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
             payload["vmid"] = vmid
             payload["created_at"] = datetime.utcnow().isoformat() + "Z"
             payload["status"] = "creating"
+            payload["device_id"] = device_id
             _write_container_record(vmid, payload)
             return proxmox, node, vmid, payload
 
@@ -1143,6 +1350,7 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 phase="bootstrap",
                 request_id=request_id,
                 details=details or None,
+                on_behalf_of_device=device_id,
             )
 
         public_key, steps = _bootstrap_portacode(
@@ -1154,9 +1362,107 @@ class CreateProxmoxContainerHandler(SyncHandler):
             progress_callback=_bootstrap_progress_callback,
             start_index=current_step_index,
             total_steps=total_steps,
+            default_public_key=device_public_key if has_device_keypair else None,
         )
         current_step_index += len(bootstrap_steps)
 
+        service_installed = False
+        if has_device_keypair:
+            logger.info(
+                "deploying dashboard-provided Portacode keypair (device_id=%s) into container %s",
+                device_id,
+                vmid,
+            )
+            _deploy_device_keypair(
+                vmid,
+                payload["username"],
+                device_private_key,
+                device_public_key,
+            )
+            service_installed = True
+            service_start_index = current_step_index
+
+            auth_step_name = "setup_device_authentication"
+            auth_label = "Setting up device authentication"
+            _emit_progress_event(
+                self,
+                step_index=service_start_index,
+                total_steps=total_steps,
+                step_name=auth_step_name,
+                step_label=auth_label,
+                status="in_progress",
+                message="Notifying the server of the new device…",
+                phase="service",
+                request_id=request_id,
+                on_behalf_of_device=device_id,
+            )
+            _emit_progress_event(
+                self,
+                step_index=service_start_index,
+                total_steps=total_steps,
+                step_name=auth_step_name,
+                step_label=auth_label,
+                status="completed",
+                message="Authentication metadata recorded.",
+                phase="service",
+                request_id=request_id,
+                on_behalf_of_device=device_id,
+            )
+
+            install_step = service_start_index + 1
+            install_label = "Launching Portacode service"
+            _emit_progress_event(
+                self,
+                step_index=install_step,
+                total_steps=total_steps,
+                step_name="launch_portacode_service",
+                step_label=install_label,
+                status="in_progress",
+                message="Running sudo portacode service install…",
+                phase="service",
+                request_id=request_id,
+                on_behalf_of_device=device_id,
+            )
+
+            cmd = f"su - {payload['username']} -c 'sudo -S portacode service install'"
+            res = _run_pct(vmid, cmd, input_text=payload["password"] + "\n")
+
+            if res["returncode"] != 0:
+                _emit_progress_event(
+                    self,
+                    step_index=install_step,
+                    total_steps=total_steps,
+                    step_name="launch_portacode_service",
+                    step_label=install_label,
+                    status="failed",
+                    message=f"{install_label} failed: {res.get('stderr') or res.get('stdout')}",
+                    phase="service",
+                    request_id=request_id,
+                    details={
+                        "stderr": res.get("stderr"),
+                        "stdout": res.get("stdout"),
+                    },
+                    on_behalf_of_device=device_id,
+                )
+                raise RuntimeError(res.get("stderr") or res.get("stdout") or "Service install failed")
+
+            _emit_progress_event(
+                self,
+                step_index=install_step,
+                total_steps=total_steps,
+                step_name="launch_portacode_service",
+                step_label=install_label,
+                status="completed",
+                message="Portacode service install finished.",
+                phase="service",
+                request_id=request_id,
+                on_behalf_of_device=device_id,
+            )
+
+            logger.info("create_proxmox_container: portacode service install completed inside ct %s", vmid)
+
+            current_step_index += 2
+
         return {
             "event": "proxmox_container_created",
             "success": True,
@@ -1173,6 +1479,9 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 "cpus": payload["cpus"],
             },
             "setup_steps": steps,
+            "device_id": device_id,
+            "on_behalf_of_device": device_id,
+            "service_installed": service_installed,
         }
 
 
@@ -1197,6 +1506,9 @@ class StartPortacodeServiceHandler(SyncHandler):
         password = record.get("password")
         if not user or not password:
             raise RuntimeError("Container credentials unavailable")
+        on_behalf_of_device = record.get("device_id")
+        if on_behalf_of_device:
+            on_behalf_of_device = str(on_behalf_of_device)
 
         start_index = int(message.get("step_index", 1))
         total_steps = int(message.get("total_steps", start_index + 2))
@@ -1214,6 +1526,7 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Notifying the server of the new device…",
             phase="service",
             request_id=request_id,
+            on_behalf_of_device=on_behalf_of_device,
         )
         _emit_progress_event(
             self,
@@ -1225,6 +1538,7 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Authentication metadata recorded.",
             phase="service",
             request_id=request_id,
+            on_behalf_of_device=on_behalf_of_device,
         )
 
         install_step = start_index + 1
@@ -1239,6 +1553,7 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Running sudo portacode service install…",
             phase="service",
             request_id=request_id,
+            on_behalf_of_device=on_behalf_of_device,
         )
 
         cmd = f"su - {user} -c 'sudo -S portacode service install'"
@@ -1259,6 +1574,7 @@ class StartPortacodeServiceHandler(SyncHandler):
                     "stderr": res.get("stderr"),
                     "stdout": res.get("stdout"),
                 },
+                on_behalf_of_device=on_behalf_of_device,
             )
             raise RuntimeError(res.get("stderr") or res.get("stdout") or "Service install failed")
 
@@ -1272,6 +1588,7 @@ class StartPortacodeServiceHandler(SyncHandler):
             message="Portacode service install finished.",
             phase="service",
             request_id=request_id,
+            on_behalf_of_device=on_behalf_of_device,
         )
 
         return {

portacode/connection/handlers/system_handlers.py

@@ -10,8 +10,9 @@ import platform
 import shutil
 import subprocess
 import threading
+import time
 from pathlib import Path
-from typing import Any, Dict
+from typing import Any, Dict, Optional
 
 from portacode import __version__
 import psutil
@@ -31,11 +32,26 @@ _cpu_percent = 0.0
 _cpu_thread = None
 _cpu_lock = threading.Lock()
 
+# Cgroup v2 tracking
+_CGROUP_ROOT = Path("/sys/fs/cgroup")
+_cgroup_path: Optional[Path] = None
+_cgroup_v2_supported: Optional[bool] = None
+_CGROUP_CPU_STAT = "cpu.stat"
+_CGROUP_CPU_MAX = "cpu.max"
+_last_cgroup_usage: Optional[int] = None
+_last_cgroup_time: Optional[float] = None
+
 def _cpu_monitor():
     """Background thread to update CPU usage every 5 seconds."""
     global _cpu_percent
     while True:
-        _cpu_percent = psutil.cpu_percent(interval=5.0)
+        percent = _get_cgroup_cpu_percent()
+        if percent is None:
+            # Fall back to psutil when cgroup stats are not available yet.
+            percent = psutil.cpu_percent(interval=5.0)
+        else:
+            time.sleep(5.0)
+        _cpu_percent = percent
 
 def _ensure_cpu_thread():
     """Ensure CPU monitoring thread is running (singleton)."""
@@ -130,6 +146,119 @@ def _get_playwright_info() -> Dict[str, Any]:
     return result
 
 
+def _resolve_cgroup_path() -> Path:
+    global _cgroup_path
+    if _cgroup_path is not None and _cgroup_path.exists():
+        return _cgroup_path
+    path = _CGROUP_ROOT
+    cgroup_file = Path("/proc/self/cgroup")
+    if cgroup_file.exists():
+        try:
+            contents = cgroup_file.read_text()
+        except OSError:
+            pass
+        else:
+            for line in contents.splitlines():
+                line = line.strip()
+                if not line:
+                    continue
+                parts = line.split(":", 2)
+                if len(parts) < 3:
+                    continue
+                rel_path = parts[-1].lstrip("/")
+                candidate = _CGROUP_ROOT / rel_path
+                # Fallback to root path if the relative path is empty
+                candidate = candidate if rel_path else _CGROUP_ROOT
+                if candidate.exists():
+                    path = candidate
+                    break
+    _cgroup_path = path
+    return _cgroup_path
+
+
+def _cgroup_file(name: str) -> Path:
+    return _resolve_cgroup_path() / name
+
+
+def _detect_cgroup_v2() -> bool:
+    global _cgroup_v2_supported
+    if _cgroup_v2_supported is not None:
+        return _cgroup_v2_supported
+    controllers = _cgroup_file("cgroup.controllers")
+    cpu_stat = _cgroup_file(_CGROUP_CPU_STAT)
+    _cgroup_v2_supported = controllers.exists() and cpu_stat.exists()
+    return _cgroup_v2_supported
+
+
+def _read_cgroup_cpu_usage() -> Optional[int]:
+    path = _cgroup_file(_CGROUP_CPU_STAT)
+    try:
+        data = path.read_text()
+    except (OSError, UnicodeDecodeError):
+        return None
+    for line in data.splitlines():
+        parts = line.strip().split()
+        if len(parts) >= 2 and parts[0] == "usage_usec":
+            try:
+                return int(parts[1])
+            except ValueError:
+                return None
+    return None
+
+
+def _read_cgroup_cpu_limit() -> Optional[float]:
+    """Return the allowed CPU (cores) for this cgroup, if limited."""
+    path = _cgroup_file(_CGROUP_CPU_MAX)
+    if not path.exists():
+        return None
+    try:
+        data = path.read_text().strip()
+    except (OSError, UnicodeDecodeError):
+        return None
+    parts = data.split()
+    if len(parts) < 2:
+        return None
+    quota, period = parts[0], parts[1]
+    if quota == "max":
+        return None
+    try:
+        quota_value = int(quota)
+        period_value = int(period)
+    except ValueError:
+        return None
+    if period_value <= 0:
+        return None
+    return quota_value / period_value
+
+
+def _get_cgroup_cpu_percent() -> Optional[float]:
+    if not _detect_cgroup_v2():
+        return None
+    usage = _read_cgroup_cpu_usage()
+    if usage is None:
+        return None
+    now = time.monotonic()
+    global _last_cgroup_usage, _last_cgroup_time
+    prev_usage = _last_cgroup_usage
+    prev_time = _last_cgroup_time
+    _last_cgroup_usage = usage
+    _last_cgroup_time = now
+    if prev_usage is None or prev_time is None:
+        return None
+    delta_usage = usage - prev_usage
+    delta_time = now - prev_time
+    if delta_time <= 0 or delta_usage < 0:
+        return None
+    cpu_ratio = (delta_usage / 1_000_000) / delta_time
+    limit_cpus = _read_cgroup_cpu_limit()
+    if limit_cpus and limit_cpus > 0:
+        percent = (cpu_ratio / limit_cpus) * 100.0
+    else:
+        cpu_count = psutil.cpu_count(logical=True) or 1
+        percent = (cpu_ratio / cpu_count) * 100.0
+    return max(0.0, min(percent, 100.0))
+
+
 def _run_probe_command(cmd: list[str]) -> str | None:
     try:
         result = subprocess.run(cmd, capture_output=True, text=True, check=True, timeout=3)

portacode/connection/handlers/test_proxmox_infra.py

@@ -0,0 +1,13 @@
+from unittest import TestCase
+
+from portacode.connection.handlers.proxmox_infra import _build_bootstrap_steps
+
+
+class ProxmoxInfraHandlerTests(TestCase):
+    def test_build_bootstrap_steps_includes_portacode_connect_by_default(self):
+        steps = _build_bootstrap_steps("svcuser", "pass", "", include_portacode_connect=True)
+        self.assertTrue(any(step.get("name") == "portacode_connect" for step in steps))
+
+    def test_build_bootstrap_steps_skips_portacode_connect_when_requested(self):
+        steps = _build_bootstrap_steps("svcuser", "pass", "", include_portacode_connect=False)
+        self.assertFalse(any(step.get("name") == "portacode_connect" for step in steps))

portacode/connection/terminal.py

@@ -56,6 +56,9 @@ from .handlers import (
     CreateProxmoxContainerHandler,
     RevertProxmoxInfraHandler,
     StartPortacodeServiceHandler,
+    StartProxmoxContainerHandler,
+    StopProxmoxContainerHandler,
+    RemoveProxmoxContainerHandler,
 )
 from .handlers.project_aware_file_handlers import (
     ProjectAwareFileWriteHandler,
@@ -480,6 +483,9 @@ class TerminalManager:
         self._command_registry.register(ConfigureProxmoxInfraHandler)
         self._command_registry.register(CreateProxmoxContainerHandler)
         self._command_registry.register(StartPortacodeServiceHandler)
+        self._command_registry.register(StartProxmoxContainerHandler)
+        self._command_registry.register(StopProxmoxContainerHandler)
+        self._command_registry.register(RemoveProxmoxContainerHandler)
         self._command_registry.register(RevertProxmoxInfraHandler)
         self._command_registry.register(UpdatePortacodeHandler)
 

{portacode-1.4.12.dev1.dist-info → portacode-1.4.15.dev10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: portacode
-Version: 1.4.12.dev1
+Version: 1.4.15.dev10
 Summary: Portacode CLI client and SDK
 Home-page: https://github.com/portacode/portacode
 Author: Meena Erian

{portacode-1.4.12.dev1.dist-info → portacode-1.4.15.dev10.dist-info}/RECORD

@@ -1,7 +1,7 @@
 portacode/README.md,sha256=4dKtpvR8LNgZPVz37GmkQCMWIr_u25Ao63iW56s7Ke4,775
 portacode/__init__.py,sha256=oB3sV1wXr-um-RXio73UG8E5Xx6cF2ZVJveqjNmC-vQ,1086
 portacode/__main__.py,sha256=jmHTGC1hzmo9iKJLv-SSYe9BSIbPPZ2IOpecI03PlTs,296
-portacode/_version.py,sha256=KBZ1gEZmvt1J4XR1FpwaCleg3ayMUckV-yZYhnXlSCU,719
+portacode/_version.py,sha256=OsU3LmSVwSb16YuRZZoOGhx4fmAppA2W-vOQo60j6hQ,721
 portacode/cli.py,sha256=mGLKoZ-T2FBF7IA9wUq0zyG0X9__-A1ao7gajjcVRH8,21828
 portacode/data.py,sha256=5-s291bv8J354myaHm1Y7CQZTZyRzMU3TGe5U4hb-FA,1591
 portacode/keypair.py,sha256=0OO4vHDcF1XMxCDqce61xFTlFwlTcmqe5HyGsXFEt7s,5838
@@ -12,9 +12,9 @@ portacode/connection/README.md,sha256=f9rbuIEKa7cTm9C98rCiBbEtbiIXQU11esGSNhSMiJ
 portacode/connection/__init__.py,sha256=atqcVGkViIEd7pRa6cP2do07RJOM0UWpbnz5zXjGktU,250
 portacode/connection/client.py,sha256=jtLb9_YufqPkzi9t8VQH3iz_JEMisbtY6a8L9U5weiU,14181
 portacode/connection/multiplex.py,sha256=L-TxqJ_ZEbfNEfu1cwxgJ5vUdyRzZjsMy2Kx1diiZys,5237
-portacode/connection/terminal.py,sha256=07wxG_55JMy3yQ9TXCBldW9h43qCW3U8rv2yzGMx4FM,44757
+portacode/connection/terminal.py,sha256=oyLPOVLPlUuN_eRvHPGazB51yi8W8JEF3oOEYxucGTE,45069
 portacode/connection/handlers/README.md,sha256=HsLZG1QK1JNm67HsgL6WoDg9nxzKXxwkc5fJPFJdX5g,12169
-portacode/connection/handlers/WEBSOCKET_PROTOCOL.md,sha256=7tBYNEY8EBGAPIMT606BqeHnyMOQIZVlQYpH7me26LY,97962
+portacode/connection/handlers/WEBSOCKET_PROTOCOL.md,sha256=OtObmoVAXlf0uU1HidTWNmyJYBS1Yl6Rpgyh6TOTjUQ,100590
 portacode/connection/handlers/__init__.py,sha256=WSeBmi65GWFQPYt9M3E10rn0uZ_EPCJzNJOzSf2HZyw,2921
 portacode/connection/handlers/base.py,sha256=oENFb-Fcfzwk99Qx8gJQriEMiwSxwygwjOiuCH36hM4,10231
 portacode/connection/handlers/chunked_content.py,sha256=h6hXRmxSeOgnIxoU8CkmvEf2Odv-ajPrpHIe_W3GKcA,9251
@@ -22,12 +22,13 @@ portacode/connection/handlers/diff_handlers.py,sha256=iYTIRCcpEQ03vIPKZCsMTE5aZb
 portacode/connection/handlers/file_handlers.py,sha256=nAJH8nXnX07xxD28ngLpgIUzcTuRwZBNpEGEKdRqohw,39507
 portacode/connection/handlers/project_aware_file_handlers.py,sha256=AqgMnDqX2893T2NsrvUSCwjN5VKj4Pb2TN0S_SuboOE,9803
 portacode/connection/handlers/project_state_handlers.py,sha256=v6ZefGW9i7n1aZLq2jOGumJIjYb6aHlPI4m1jkYewm8,1686
-portacode/connection/handlers/proxmox_infra.py,sha256=Sd25UGM7edWDTIiatZvA2Dh3-4NOzfIDmixG0Fz5m0U,51343
+portacode/connection/handlers/proxmox_infra.py,sha256=5DAHhzbegCI0fKdekP8Or6jrGZptmthLdq-RMtOPZDc,63843
 portacode/connection/handlers/registry.py,sha256=qXGE60sYEWg6ZtVQzFcZ5YI2XWR6lMgw4hAL9x5qR1I,6181
 portacode/connection/handlers/session.py,sha256=uNGfiO_1B9-_yjJKkpvmbiJhIl6b-UXlT86UTfd6WYE,42219
-portacode/connection/handlers/system_handlers.py,sha256=AKh7IbwptlLYrbSw5f-DHigvlaKHsg9lDP-lkAUm8cE,10755
+portacode/connection/handlers/system_handlers.py,sha256=fr12QpOr_Z8KYGUU-AYrTQwRPAcrLK85hvj3SEq1Kw8,14757
 portacode/connection/handlers/tab_factory.py,sha256=yn93h6GASjD1VpvW1oqpax3EpoT0r7r97zFXxML1wdA,16173
 portacode/connection/handlers/terminal_handlers.py,sha256=HRwHW1GiqG1NtHVEqXHKaYkFfQEzCDDH6YIlHcb4XD8,11866
+portacode/connection/handlers/test_proxmox_infra.py,sha256=d6iBB4pwAqWWdEGRayLxDEexqCElbGZDJlCB4bXba24,682
 portacode/connection/handlers/update_handler.py,sha256=f2K4LmG4sHJZ3LahzzoRtHBULTKkPUNwuyhwuAAg3RA,2054
 portacode/connection/handlers/project_state/README.md,sha256=trdd4ig6ungmwH5SpbSLfyxbL-QgPlGNU-_XrMEiXtw,10114
 portacode/connection/handlers/project_state/__init__.py,sha256=5ucIqk6Iclqg6bKkL8r_wVs5Tlt6B9J7yQH6yQUt7gc,2541
@@ -64,7 +65,7 @@ portacode/utils/__init__.py,sha256=NgBlWTuNJESfIYJzP_3adI1yJQJR0XJLRpSdVNaBAN0,3
 portacode/utils/diff_apply.py,sha256=4Oi7ft3VUCKmiUE4VM-OeqO7Gk6H7PF3WnN4WHXtjxI,15157
 portacode/utils/diff_renderer.py,sha256=S76StnQ2DLfsz4Gg0m07UwPfRp8270PuzbNaQq-rmYk,13850
 portacode/utils/ntp_clock.py,sha256=VqCnWCTehCufE43W23oB-WUdAZGeCcLxkmIOPwInYHc,2499
-portacode-1.4.12.dev1.dist-info/licenses/LICENSE,sha256=2FGbCnUDgRYuQTkB1O1dUUpu5CVAjK1j4_p6ack9Z54,1066
+portacode-1.4.15.dev10.dist-info/licenses/LICENSE,sha256=2FGbCnUDgRYuQTkB1O1dUUpu5CVAjK1j4_p6ack9Z54,1066
 test_modules/README.md,sha256=Do_agkm9WhSzueXjRAkV_xEj6Emy5zB3N3VKY5Roce8,9274
 test_modules/__init__.py,sha256=1LcbHodIHsB0g-g4NGjSn6AMuCoGbymvXPYLOb6Z7F0,53
 test_modules/test_device_online.py,sha256=QtYq0Dq9vME8Gp2O4fGSheqVf8LUtpsSKosXXk56gGM,1654
@@ -90,8 +91,8 @@ testing_framework/core/playwright_manager.py,sha256=Tw46qwxIhOFkS48C2IWIQHHNpEe-
 testing_framework/core/runner.py,sha256=j2QwNJmAxVBmJvcbVS7DgPJUKPNzqfLmt_4NNdaKmZU,19297
 testing_framework/core/shared_cli_manager.py,sha256=BESSNtyQb7BOlaOvZmm04T8Uezjms4KCBs2MzTxvzYQ,8790
 testing_framework/core/test_discovery.py,sha256=2FZ9fJ8Dp5dloA-fkgXoJ_gCMC_nYPBnA3Hs2xlagzM,4928
-portacode-1.4.12.dev1.dist-info/METADATA,sha256=o7psDA6l4eoRJLFQipCS3XcgsqTLxNMf39xhh6qYJ00,13051
-portacode-1.4.12.dev1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-portacode-1.4.12.dev1.dist-info/entry_points.txt,sha256=lLUUL-BM6_wwe44Xv0__5NQ1BnAz6jWjSMFvZdWW3zU,48
-portacode-1.4.12.dev1.dist-info/top_level.txt,sha256=TGhTYUxfW8SyVZc_zGgzjzc24gGT7nSw8Qf73liVRKM,41
-portacode-1.4.12.dev1.dist-info/RECORD,,
+portacode-1.4.15.dev10.dist-info/METADATA,sha256=FZkeltpJrx27P2fnujDDrYsinIFjnm1VsnnqTSVBk1g,13052
+portacode-1.4.15.dev10.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+portacode-1.4.15.dev10.dist-info/entry_points.txt,sha256=lLUUL-BM6_wwe44Xv0__5NQ1BnAz6jWjSMFvZdWW3zU,48
+portacode-1.4.15.dev10.dist-info/top_level.txt,sha256=TGhTYUxfW8SyVZc_zGgzjzc24gGT7nSw8Qf73liVRKM,41
+portacode-1.4.15.dev10.dist-info/RECORD,,

{portacode-1.4.12.dev1.dist-info → portacode-1.4.15.dev10.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.9.0)
+Generator: setuptools (80.10.2)
 Root-Is-Purelib: true
 Tag: py3-none-any