Skip to content

Capture reverse-proxy smoke evidence for private review deployment #16

Description

@Joncallim

Goal

Prove the private review deployment works through the documented reverse proxy while keeping the Rust daemon private and the browser API token-protected.

Plain-English Context

A reviewer should be able to open DockerMap through the public review URL, but they should not be able to reach the private Rust daemon directly or bypass API protection. This issue asks an agent to prove the proxy setup works as intended, including live event streaming and token behavior, before release.

Roadmap Source

  • docs/planning/ROADMAP.md -> Now: Private Alpha Hardening -> Capture release-host evidence.
  • docs/release/RELEASE_CHECKLIST.md -> Execute After Next Commit -> capture reverse-proxy smoke evidence including bearer-token injection, SSE streaming, public review URL access, and direct daemon-port inaccessibility.

Recommended Agent

Primary: release-ops

Handoff note: involve security-readonly if any proxy or daemon behavior appears to bypass token protection, CORS policy, loopback daemon binding, or error redaction.

Scope

Target areas:

  • docs/release/RELEASE_CHECKLIST.md
  • docs/deployment/DEPLOYMENT.md
  • docs/deployment/REVERSE_PROXY.md
  • scripts/smoke-deploy.sh only if the documented smoke command is stale or insufficient
  • deployment config under deploy, Dockerfile, or docker-compose.yml only if the maintainer asks for a wiring fix

Direction

  1. Use the intended private review host and documented reverse-proxy setup.
  2. Confirm the Express API is reachable through the proxy and the Rust daemon is not directly reachable from another machine.
  3. Confirm viewer authentication or bearer-token injection behaves as documented.
  4. Confirm /api/events/stream still streams through the proxy without buffering or auth breakage.
  5. Confirm /api/snapshot returns 401 without a bearer token when bypassing proxy token injection.
  6. Run the local and public smoke checks, then record exact results in the release evidence location.
  7. Do not paste real tokens, auth headers, private URLs, or sensitive host details into docs or issue comments.

Acceptance Criteria

  • scripts/smoke-deploy.sh http://127.0.0.1:4000 result is recorded on the host.
  • scripts/smoke-deploy.sh against the public review URL result is recorded.
  • Evidence states whether bearer-token injection works for protected routes.
  • Evidence states whether SSE streaming works through the reverse proxy.
  • Evidence states that direct remote access to daemon port 4100 is impossible, or keeps the gate open if not proven.
  • Evidence states that /api/health, /api/snapshot, /api/runtime/map, /api/compose/scan, and /api/events/stream work through the proxy.
  • Any deployment or security failure is called out as a blocker instead of being marked complete.

Validation Commands

Run on the release/review host and record exact results:

  • git rev-parse HEAD
  • npm run build:deploy
  • scripts/smoke-deploy.sh http://127.0.0.1:4000
  • scripts/smoke-deploy.sh <public-review-url>
  • targeted curl checks for unauthenticated 401, authenticated protected routes, and SSE streaming, with tokens redacted from output
  • a remote connectivity check proving daemon port 4100 is inaccessible from another machine

State any skipped commands and why.

Closure Evidence

When resolved, post a comment using the repository evidence format:

## Resolution Evidence
- What changed:
- Why this resolves the issue:
- How I checked it:
- Remaining risk or follow-up:

Recommendation: This issue appears resolved and can be closed by a maintainer.

If proxy behavior cannot be verified on the release host, recommend keeping the issue open. Do not close the issue automatically.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions