Conversation
…pfs mounts The compose role now manages host port allocation from a configured range instead of letting clients specify host port bindings directly. Services declare container ports via `expose:` in their compose file, and the agent allocates host ports from `port_range`, binding to the client's `ingress_bind_address`. Port mappings are returned in the deploy response so callers can wire ingress routes. Also fixes tmpfs handling to merge client-specified entries with global defaults instead of overwriting them, allowing containers like nginx to declare additional tmpfs paths (e.g. /var/cache/nginx) alongside the hardening defaults. Updates CLAUDE.md with ESM module resolution guidelines and fixes vault-fact-store main field. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ivanbenko
force-pushed
the
feat/agent-port-allocation-and-esm-fixes
branch
from
57ea12d to
fd05649
Compare
21 Go tests covering: - Port allocator: allocation, reuse, reallocation on change, client isolation, range exhaustion, release, persistence across restarts - Compose hardening: client ports stripped, allocated ports injected with bind address, expose cleared, tmpfs merge with defaults - Helpers: parsePortRange validation, extractExposeEntries, portsMatch, parseTmpfsEntries type handling Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace individual remote commands for writing client policy files with MirrorState from @opsen/docker-compose. This ensures stale policy files are cleaned up when clients are removed, instead of only being deleted when the Pulumi resource is destroyed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ivanbenko
force-pushed
the
feat/agent-port-allocation-and-esm-fixes
branch
from
0533983 to
1f75f30
Compare
When a client policy changes (e.g. IngressBindAddress, hardening settings), the reconciler detects stale deployments by comparing a policy hash stored at deploy time with the current policy hash. Stale projects are automatically re-hardened and redeployed. Anti-loop guarantee: after successful redeploy, the stored hash is updated to match the current policy, so the reconciler won't trigger again until the policy actually changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All remote commands in AgentInstaller are now wrapped with sudo when the SSH connection user is not root. Binary upload goes to /tmp first (SFTP doesn't support sudo) then sudo mv to /usr/local/bin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lity The agent package must keep type: module because Pulumi's ts-node CJS loader cannot resolve .js extensions to .ts source files without it. Since agent doesn't use Pulumi deep imports, ESM mode is safe here. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pulumi's ts-node always runs CJS regardless of type: module. Switch agent to module: commonjs / moduleResolution: node in tsconfig, remove type: module from package.json, strip .js extensions from relative imports, and use __dirname instead of import.meta.dirname. This ensures the agent works when consumed via file: references from Pulumi programs. Verified with full e2e deployment on Hetzner Cloud via test.local. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
port_range. Services declare container ports viaexpose:in their compose file, and the agent allocates host ports bound to the client'singress_bind_address. Port mappings are returned in the deploy response for ingress wiring..jsextensions to 223 relative imports across all packages. Updated CLAUDE.md with ESM module resolution guidelines.mainfield fromdist/index.jstosrc/index.tsfor workspace resolution.Test plan
expose: ["80"]and verify port is allocated from configured rangeportsfield)pnpm buildpasses clean🤖 Generated with Claude Code