From b15b8da963ed172ecbfb0508d011026b1d0ca729 Mon Sep 17 00:00:00 2001 From: Rene Fichtmueller Date: Tue, 12 May 2026 23:31:02 +0200 Subject: [PATCH] sync: record gateway final hardening --- sync/CURRENT.md | 20 ++++++++- .../2026-05-12-gateway-final-hardening.md | 43 +++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 sync/history/2026-05-12-gateway-final-hardening.md diff --git a/sync/CURRENT.md b/sync/CURRENT.md index 43d5375..52595fe 100644 --- a/sync/CURRENT.md +++ b/sync/CURRENT.md @@ -10,7 +10,25 @@ ## Session Status -### Latest Verified State — 2026-05-12 23:08 Europe/Berlin +### Latest Verified State — 2026-05-12 23:30 Europe/Berlin + +- Live hardening and verification completed: + - GitHub Copilot bridge now binds to loopback by default (`127.0.0.1`) and reports stable diagnostic health instead of hiding startup/auth failures behind PM2 restarts. + - The Copilot bridge health now exposes `auth_required`, host, package, last startup/output, and an explicit warning while `COPILOT_API_PACKAGE` is still `copilot-api@latest`. + - Dashboard Client Coverage now shows bridge provider/runtime state per desktop client, not only local process/install detection. + - Live `/api/dashboard/clients?hours=24` verifies: + - Codex Desktop / CLI: `live`, bridge `codex` ready, callers include `codex-cli`, `codex-live-gateway-check`, `codex-secure-tunnel-smoke`, `tokensSaved=4067`. + - Claude Desktop / Claude Code: `live`, bridge `claude-code` ready, callers include `claude-code-companion`, `requestCount=28`. + - Microsoft Copilot: local process detected, bridge `m365-copilot-bridge` remains `auth_required` until Microsoft Graph/device auth is configured. + - GitHub Copilot: local process/bridge detected, bridge `copilot-bridge` remains `auth_required` until GitHub Copilot device login is completed. + - Fresh compression proof after deploy: + - Caller `final-repeat-compression-smoke`, model `qwen2.5:14b`. + - Compression mode `ctxlean:verbatim_compact`. + - Tokens `8882 -> 106`, saved `8776`, savings `98.81%`. + - Gateway public health remains green: `/api/dashboard/health` returns `status=ok`, database `connected`. +- Operational note: + - Cloudflare SSH fallback needed explicit Go DNS mode from Codex sandbox: `GODEBUG=netdns=go+1 cloudflared access ssh --hostname ssh.context-x.org`. + - Direct SSH to Erik was intermittent/refused during deploy, but Cloudflare SSH with the DNS override completed restart and verification. - Companion tool-use adapter added and verified: - Anthropic `tools` are summarized into a strict tool-use adapter instruction for the text backend. diff --git a/sync/history/2026-05-12-gateway-final-hardening.md b/sync/history/2026-05-12-gateway-final-hardening.md new file mode 100644 index 0000000..39dbe6f --- /dev/null +++ b/sync/history/2026-05-12-gateway-final-hardening.md @@ -0,0 +1,43 @@ +# LLM Gateway Final Hardening Handoff — 2026-05-12 + +## Summary + +- Hardened GitHub Copilot bridge: + - Loopback-only default: `COPILOT_BRIDGE_HOST=127.0.0.1`. + - Health endpoint remains available when underlying `copilot-api` is starting, unavailable, or auth-blocked. + - Health now reports `auth_required`, package/version, last startup/output, and warns while `COPILOT_API_PACKAGE=copilot-api@latest`. + - Existing spawn/restart behavior from Erik was preserved. +- Dashboard client coverage now reports bridge runtime state per client: + - Codex -> `codex`. + - Claude Code -> `claude-code`. + - Microsoft Copilot -> `m365-copilot-bridge`. + - GitHub Copilot -> `copilot-bridge`. + - ChatGPT/OpenAI Desktop -> `chatgpt-bridge`. +- Deployed changed dashboard artifacts and restarted only `copilot-bridge` and `llm-gateway`. + +## Live Verification + +- Public Gateway health: `status=ok`, database `connected`. +- Client coverage, 24h: + - Codex Desktop / CLI: `live`, bridge ready, `requestCount=3`, `tokensSaved=4067`. + - Claude Desktop / Claude Code: `live`, bridge ready, `requestCount=28`. + - Microsoft Copilot: local process detected, bridge `auth_required`. + - GitHub Copilot: local process detected, bridge `auth_required`. +- Copilot bridge direct health: + - `status=auth_required`. + - `host=127.0.0.1`. + - `copilot_api_package=copilot-api@latest`. + - Detail: authorize GitHub device login shown in bridge logs. +- Fresh compression proof: + - Request `chatcmpl-1778621358742-cascdms`. + - Caller `final-repeat-compression-smoke`. + - Model `qwen2.5:14b`. + - Compression `ctxlean:verbatim_compact`. + - Tokens `8882 -> 106`, saved `8776`, savings `98.81%`. + +## Remaining Boundaries + +- Gateway tracks and compresses only traffic that enters the Gateway/Companion before provider execution. +- GitHub Copilot and Microsoft Copilot cannot be counted until their real account/device auth is completed. +- `copilot-api@latest` should be pinned before treating the GitHub Copilot bridge as fully production-stable. +- Erik direct SSH was intermittent/refused during deploy; Cloudflare SSH worked with `GODEBUG=netdns=go+1`.