sync: record secure gateway tracking setup

2026-05-12 22:17:33 +02:00 · 2026-05-12 22:17:33 +02:00 · 9027484e3d
commit 9027484e3d
parent c4056701b3
2 changed files with 83 additions and 1 deletions
--- a/sync/CURRENT.md
+++ b/sync/CURRENT.md
@ -10,7 +10,36 @@
 ## Session Status
-### Latest Verified State — 2026-05-12
+### Latest Verified State — 2026-05-12 22:15 Europe/Berlin
 - Secure bridge architecture is now in place for Gateway-routed subscription access:
  - MacStudio Codex bridge listens on `127.0.0.1:3253`.
  - Local M365 bridge listens on `127.0.0.1:3257` but remains auth-required.
  - Cloudflare-Access SSH reverse tunnel exposes only Erik loopback listeners `127.0.0.1:3353` and `127.0.0.1:3357`.
  - Gateway live env points `CODEX_BRIDGE_URL` / `OPENAI_CODEX_URL` to `http://127.0.0.1:3353`.
 - End-to-end Codex via Gateway works and is tracked:
  - Caller `codex-secure-tunnel-smoke`.
  - Model `gpt-5.1-codex-mini`.
  - Dashboard request row recorded tokens, latency, cost, and compression metadata.
 - New local Codex starts are configured for Gateway:
  - `~/.codex/config.toml` default provider `llm-gateway`, `wire_api = "responses"`, `env_key = "LLM_GATEWAY_API_KEY"`.
  - `~/.zshrc` sets OpenAI-compatible Gateway env vars and aliases `codex` to the Gateway profile.
 - Local Gateway Companion is running on `127.0.0.1:11435` for desktop/CLI clients that need a local endpoint.
  - It forwards OpenAI-compatible calls to `https://llm-gateway.context-x.org`.
  - It translates Claude/Anthropic `/v1/messages` text calls to Gateway `/v1/chat/completions`.
  - Claude Companion smoke with model `claude-sonnet-4-6` returned content and was tracked.
 - Claude model alias warning:
  - `claude-sonnet-4-1` is stale for current Claude Code bridge behavior and produced empty/failing output.
  - `claude-sonnet-4-6`, `sonnet`, or default bridge model works.
 - Remaining auth blockers:
  - GitHub Copilot bridge remains `auth_required`.
  - M365 Copilot bridge remains `auth_required` until real Microsoft Graph delegated auth/client config exists.
 - Truth boundary:
  - Gateway can track/compress only requests that enter it before provider execution.
  - Existing native app sessions must be restarted or explicitly configured to use Gateway/Companion.
  - Full Claude Code tool-call translation through Anthropic `/v1/messages` is not finished; current Companion support is text-compatible and enough for tracking text calls.
 ### Previous Verified State — 2026-05-12
 - Public gateway is reachable:
  - `/api/dashboard/health` returns `ok`, database `connected`.
--- a/sync/history/2026-05-12-secure-bridge-tracking.md
+++ b/sync/history/2026-05-12-secure-bridge-tracking.md
@ -0,0 +1,53 @@
 # Session: Secure Bridge Tracking — 2026-05-12
 **Agent:** Codex
 **Status:** Complete for Gateway-routed Codex/Claude paths; auth still required for Microsoft/GitHub Copilot
 ## Verified
 - Public Gateway health is OK and DB is connected.
 - Live `/v1/chat/completions` and `/v1/responses` are available for OpenAI-compatible clients.
 - MacStudio Codex bridge is running locally on `127.0.0.1:3253`.
 - Erik sees Codex only through an authenticated Cloudflare-Access SSH reverse tunnel bound to `127.0.0.1:3353`.
 - Gateway process env points Codex providers at `http://127.0.0.1:3353`.
 - End-to-end Codex smoke through Gateway worked and appeared in dashboard as caller `codex-secure-tunnel-smoke` with model `gpt-5.1-codex-mini`.
 - Local Gateway Companion is running on `127.0.0.1:11435` and forwards OpenAI-compatible traffic to `https://llm-gateway.context-x.org`.
 - Companion now translates Anthropic `/v1/messages` to Gateway `/v1/chat/completions` so Claude Code style calls can be tracked.
 - Claude Companion smoke worked with caller `claude-code-companion-smoke-46b` and model `claude-sonnet-4-6`.
 ## Local Client Routing
 - `~/.codex/config.toml` now defaults new Codex starts to provider `llm-gateway`, model `gpt-5.1-codex-mini`, `wire_api = "responses"`, `env_key = "LLM_GATEWAY_API_KEY"`.
 - `~/.zshrc` exports Gateway defaults for OpenAI-compatible clients:
  - `OPENAI_BASE_URL=https://llm-gateway.context-x.org/v1`
  - `OPENAI_API_BASE=https://llm-gateway.context-x.org/v1`
  - `OPENAI_API_KEY=gateway` when unset
  - `LLM_GATEWAY_API_KEY=gateway`
 - `~/.zshrc` also points Claude-compatible clients at the local Companion:
  - `ANTHROPIC_BASE_URL=http://127.0.0.1:11435`
  - `ANTHROPIC_API_KEY=gateway` when unset
  - `ANTHROPIC_DEFAULT_SONNET_MODEL_NAME=claude-sonnet-4-6`
 - macOS `launchctl` GUI environment has the same Gateway variables for newly started GUI apps.
 ## Security Decision
 - Do not expose subscription bridges on LAN or public interfaces.
 - Keep MacStudio bridges loopback-only.
 - Use authenticated Cloudflare Access SSH reverse tunnels to Erik.
 - Bind remote tunnel ports on Erik to `127.0.0.1` only.
 - Gateway may call tunneled bridges from Erik loopback; outside traffic cannot connect to the bridge ports directly.
 ## Important Limits
 - The Gateway can track and compress only requests that enter it before the provider call.
 - Existing native Codex/Claude sessions are not retroactively tracked; restart/new sessions are required.
 - Full Claude Code agent tool-use through an Anthropic adapter is not fully implemented. The Companion supports basic `/v1/messages` text calls and tracking; deeper tool-call translation remains a follow-up.
 - GitHub Copilot bridge remains `auth_required` until `copilot-api` auth is completed.
 - Microsoft 365 Copilot bridge remains `auth_required` until Graph delegated auth or a Microsoft app/client flow is configured. Do not fake a token.
 ## Next
 - Add first-class `/v1/messages` to the Gateway itself instead of relying only on the local Companion.
 - Update Gateway provider model aliases from older Claude names to current Claude Code aliases such as `claude-sonnet-4-6`.
 - Implement tool-call translation if Claude Code itself should run as a full agent through the Gateway.
 - Finish GitHub Copilot and M365 auth interactively.