f8e53840da
Three fixes addressing codex's adversarial review of the earlier orphan-
recovery / graceful-shutdown landing:
(1) Codex point B — single shutdown path. Removed the parallel
installGracefulShutdown() handler in rpc-mode.ts that was adding
a second SIGTERM listener and racing forceShutdown()'s teardown.
The drain is now the FIRST step inside forceShutdown() (before
killTrackedDetachedChildren / extension session_shutdown / etc.)
so DB writes complete cleanly while child processes are still
alive to flush. Race-free against the existing shutdown ordering.
(2) Codex point D — recovery-before-each-drain. Cloud-volume mtime
visibility lags between containers can mean an orphan `.draining`
file from a previous container isn't visible during the startup
scan but appears moments later. drainQueuedSfFeedbackCommands()
now runs recoverOrphanedFeedbackDrains() as its first step, so
each dispatch's drain sees the latest filesystem state.
(3) Codex point E — healthz returns 503 during shutdown. New module
src/web/shutdown-state.ts holds a per-process flag, auto-registers
SIGTERM/SIGINT/SIGHUP handlers on first read, and exposes a
snapshot (signal, startedAt, elapsedMs) for diagnostics. The
healthz route imports isShuttingDown() and returns 503 when set,
so k8s readinessProbe / Forgejo blue-green probes drain traffic
BEFORE we actually stop responding.
Tests:
- rpc-mode-orphan-recovery.test.ts: 8/8 still green
- web-shutdown-state.test.ts: 5/5 new — default false, mark sets
flag, idempotent, signal exposed via snapshot, null signal for
manual mark
Deferred to a follow-up commit (codex didn't flag, but noted for
completeness): a SIGTERM-drain child-process integration test that
spawns rpc-mode + sends a real signal. The 5 unit tests cover the
flag logic; the integration test would cover the full process tree
and is bulkier than the current commit warrants.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| app | ||
| components | ||
| hooks | ||
| lib | ||
| pages | ||
| public | ||
| styles | ||
| .gitignore | ||
| components.json | ||
| eslint.config.mjs | ||
| next-env.d.ts | ||
| next.config.mjs | ||
| package-lock.json | ||
| package.json | ||
| postcss.config.mjs | ||
| proxy.ts | ||
| README.md | ||
| tsconfig.json | ||
sf server
Next.js 15 (App Router) frontend for sf server. Ships as a standalone bundle
baked into the sf release; can also be run from source for development.
What this is
The web UI is a browser workspace for sf. It connects to a bridge service
(src/web/bridge-service.ts) that manages an sf subprocess per project CWD and
proxies RPC commands over stdio. The page is a single-page app: no server-side
rendering, client-only via dynamic(..., { ssr: false }).
How to run
Packaged (normal use)
sf server # launches Next.js standalone server and opens browser
sf server --port 3000 # pick a specific port
Source dev mode (requires the repo checked out)
npm --prefix web run dev
The dev server needs these env vars (set automatically by sf server; set
manually for source dev):
| Variable | Description |
|---|---|
SF_WEB_AUTH_TOKEN |
Bearer token for all API requests |
SF_WEB_PROJECT_CWD |
Absolute path of the project being served |
SF_WEB_HOST |
Host to bind (default 127.0.0.1) |
SF_WEB_PORT |
Port to bind |
Auth
On first page load the client reads the bearer token from the URL fragment
(#token=…), stores it in localStorage under sf-auth-token, and strips the
fragment from the URL.
All subsequent requests attach it:
- Fetch / API routes —
Authorization: Bearer <token>header (viaauthFetch/authHeadersinweb/lib/auth.ts). - SSE routes —
?_token=<token>query parameter (EventSource doesn't support custom headers).
Architecture
Browser
└─ page.tsx (dynamic, ssr:false)
└─ SFAppShell
├─ WorkspaceChrome — layout chrome, sidebar, status bar
│ └─ 7 views (see below)
└─ CommandSurface — slash-command palette
Next.js API routes (web/app/api/**/route.ts)
└─ delegate to *-service.ts files in src/web/
└─ bridge-service.ts — per-CWD singleton sf subprocess (RPC over stdio)
bridge-service.ts spawns sf as a child process, speaks JSON-RPC over stdio,
and multiplexes all API routes onto that single bridge. Auth is enforced before
requests reach the bridge via requireProjectCwd() (which validates the token
and resolves the CWD from SF_WEB_PROJECT_CWD).
The 7 views
| View key | Component | Purpose |
|---|---|---|
dashboard |
Dashboard |
Live project status, metrics, quick-start panel |
chat |
ChatMode |
Conversational agent interface |
power |
DualTerminal |
Full-screen split terminal (agent + shell) |
roadmap |
Roadmap |
Milestone and slice plan explorer |
files |
FilesView |
Project file browser with syntax highlighting |
activity |
ActivityView |
Event log and session history |
visualize |
VisualizerView |
Dependency graph and architecture visualizer |
Adding a new API route
- Create
web/app/api/<name>/route.tsthat callsrequireProjectCwd(request)for auth/CWD resolution, then delegates to a service:
// web/app/api/my-feature/route.ts
import { requireProjectCwd } from "../../../../src/web/bridge-service.ts";
import { collectMyFeatureData } from "../../../../src/web/my-feature-service.ts";
export const runtime = "nodejs";
export const dynamic = "force-dynamic";
export async function GET(request: Request): Promise<Response> {
const projectCwd = requireProjectCwd(request);
const data = await collectMyFeatureData(projectCwd);
return Response.json(data, { headers: { "Cache-Control": "no-store" } });
}
- Implement
src/web/my-feature-service.tswith the actual logic (may call the bridge or read disk directly).
Tests
Tests for web utilities live in web/lib/__tests__/ and run via Vitest:
npx vitest run web/lib --config vitest.config.ts
Note: co-located
*.test.tsfiles insideweb/outside of__tests__/subdirectories are silently skipped by the root Vitest config. Always place web tests underweb/lib/__tests__/.