Add devbox deployment runtime (#14)

Author: Che-Zhu

Cargo.lock

@@ -27,6 +27,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] }
 uuid = { version = "1", features = ["serde", "v4"] }
 jsonwebtoken = { version = "9", default-features = false }
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 
 [profile.release]
 opt-level = "z"

Cargo.toml

@@ -166,11 +166,23 @@ Gateway-owned settings use the `CODEX_GATEWAY_` prefix for better discoverabilit
 - `CODEX_GATEWAY_OPENAI_API_KEY`: API key used at startup to run `codex login --with-api-key`.
 - `CODEX_GATEWAY_OPENAI_BASE_URL`: upstream OpenAI-compatible base URL. When set, the gateway configures Codex to use a custom provider with `supports_websockets = false`.
 - `CODEX_GATEWAY_MAX_SESSIONS`: maximum live sessions. Defaults to `12`.
+- `CODEX_GATEWAY_MAX_DEPLOYMENTS`: maximum active deployment tasks. Defaults to `4`.
 - `CODEX_GATEWAY_SESSION_TTL_MS`: idle session TTL. Defaults to `1800000`.
+- `CODEX_GATEWAY_DEPLOYMENT_TIMEOUT_MS`: deployment task timeout and deployment session keepalive window. Defaults to `3600000`.
 - `CODEX_GATEWAY_SESSION_SWEEP_INTERVAL_MS`: cleanup sweep interval. Defaults to `60000`.
 - `CODEX_GATEWAY_CODEX_HOME`: Codex runtime home for auth cache, logs, history, and config. In Docker this defaults to `/codex-home`.
 - `CODEX_GATEWAY_DEBUG`: enables raw bridge message debugging when set to `1`.
 - `CODEX_GATEWAY_JWT_SECRET`: optional HS256 JWT secret. When set, the gateway requires a valid bearer token for all routes except `/healthz` and `/readyz`.
+- `CODEX_GATEWAY_SESSION_RUNTIME`: session runtime backend. Defaults to `local`; set to `devbox` to create a Devbox runtime before each session.
+- `CODEX_GATEWAY_DEVBOX_BASE_URL`: Devbox API base URL. If omitted in devbox mode, the gateway derives `https://devbox-server.${SEALOS_HOST}` from `SEALOS_HOST`.
+- `CODEX_GATEWAY_DEVBOX_TOKEN`: Devbox API bearer token. `DEVBOX_TOKEN` is also accepted.
+- `CODEX_GATEWAY_DEVBOX_JWT_SIGNING_KEY`: HS256 signing key used when no Devbox token is configured. `DEVBOX_JWT_SIGNING_KEY` is also accepted.
+- `CODEX_GATEWAY_DEVBOX_NAMESPACE`: Devbox namespace. Defaults to `ns-test`.
+- `CODEX_GATEWAY_DEVBOX_RUNTIME_IMAGE`: optional Devbox runtime image override.
+- `CODEX_GATEWAY_DEVBOX_ARCHIVE_AFTER_PAUSE_TIME`: Devbox archive delay after pause. Defaults to `24h`.
+- `CODEX_GATEWAY_DEVBOX_WAIT_TIMEOUT_SECONDS`: timeout while waiting for a new Devbox to become `Running`. Defaults to `60`.
+- `CODEX_GATEWAY_DEVBOX_GATEWAY_READY_TIMEOUT_SECONDS`: timeout while waiting for the Codex Gateway inside Devbox to pass health and readiness checks. Defaults to `60`.
+- `CODEX_GATEWAY_DEVBOX_BOOTSTRAP_TIMEOUT_SECONDS`: timeout for the bootstrap command. Defaults to `300`.
 
 ## Docker
 

README.md

@@ -2,9 +2,14 @@ use std::path::PathBuf;
 use std::time::Duration;
 
 use crate::env_config::{
-    BRIDGE_CWD_ENV, CODEX_BIN_ENV, DEBUG_ENV, DEFAULT_MODEL_ENV, HOST_ENV, JWT_SECRET_ENV,
-    MAX_SESSIONS_ENV, PORT_ENV, SESSION_SWEEP_INTERVAL_MS_ENV, SESSION_TTL_MS_ENV, read_bool_flag,
-    read_env, read_u16, read_u64, read_usize,
+    BRIDGE_CWD_ENV, CODEX_BIN_ENV, DEBUG_ENV, DEFAULT_MODEL_ENV, DEPLOYMENT_TIMEOUT_MS_ENV,
+    DEVBOX_ARCHIVE_AFTER_PAUSE_TIME_ENV, DEVBOX_BASE_URL_ENV, DEVBOX_BOOTSTRAP_TIMEOUT_SECONDS_ENV,
+    DEVBOX_GATEWAY_READY_TIMEOUT_SECONDS_ENV, DEVBOX_JWT_SIGNING_KEY_ENV,
+    DEVBOX_JWT_TTL_SECONDS_ENV, DEVBOX_NAMESPACE_ENV, DEVBOX_RUNTIME_IMAGE_ENV, DEVBOX_TOKEN_ENV,
+    DEVBOX_WAIT_TIMEOUT_SECONDS_ENV, HOST_ENV, JWT_SECRET_ENV, MAX_DEPLOYMENTS_ENV,
+    MAX_SESSIONS_ENV, PORT_ENV, SEALOS_HOST_ENV, SESSION_RUNTIME_ENV,
+    SESSION_SWEEP_INTERVAL_MS_ENV, SESSION_TTL_MS_ENV, read_bool_flag, read_env, read_u16,
+    read_u64, read_usize,
 };
 
 #[derive(Debug, Clone)]
@@ -19,6 +24,26 @@ pub struct AuthConfig {
     pub jwt_secret: String,
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SessionRuntimeMode {
+    Local,
+    Devbox,
+}
+
+#[derive(Debug, Clone)]
+pub struct DevboxConfig {
+    pub base_url: String,
+    pub namespace: String,
+    pub token: Option<String>,
+    pub jwt_signing_key: Option<String>,
+    pub jwt_ttl_seconds: u64,
+    pub runtime_image: Option<String>,
+    pub archive_after_pause_time: String,
+    pub wait_timeout: Duration,
+    pub gateway_ready_timeout: Duration,
+    pub bootstrap_timeout: Duration,
+}
+
 #[derive(Debug, Clone)]
 pub struct AppConfig {
     pub host: String,
@@ -30,16 +55,22 @@ pub struct AppConfig {
     pub debug: bool,
     pub default_model: Option<String>,
     pub max_sessions: usize,
+    pub max_deployments: usize,
     pub session_ttl: Duration,
+    pub deployment_timeout: Duration,
     pub session_sweep_interval: Duration,
     pub client_info: ClientInfo,
     pub auth: Option<AuthConfig>,
+    pub session_runtime: SessionRuntimeMode,
+    pub devbox: Option<DevboxConfig>,
 }
 
 impl AppConfig {
     pub fn from_env(root_dir: PathBuf) -> Self {
         let public_dir = root_dir.join("public");
         let lab_dir = root_dir.join("lab");
+        let session_runtime = read_session_runtime();
+        let devbox = read_devbox_config(session_runtime);
 
         Self {
             host: read_env(HOST_ENV).unwrap_or_else(|| "0.0.0.0".to_string()),
@@ -53,9 +84,13 @@ impl AppConfig {
             debug: read_bool_flag(DEBUG_ENV),
             default_model: read_env(DEFAULT_MODEL_ENV),
             max_sessions: read_usize(MAX_SESSIONS_ENV).unwrap_or(12),
+            max_deployments: read_usize(MAX_DEPLOYMENTS_ENV).unwrap_or(4),
             session_ttl: Duration::from_millis(
                 read_u64(SESSION_TTL_MS_ENV).unwrap_or(30 * 60 * 1000),
             ),
+            deployment_timeout: Duration::from_millis(
+                read_u64(DEPLOYMENT_TIMEOUT_MS_ENV).unwrap_or(60 * 60 * 1000),
+            ),
             session_sweep_interval: Duration::from_millis(
                 read_u64(SESSION_SWEEP_INTERVAL_MS_ENV).unwrap_or(60 * 1000),
             ),
@@ -65,6 +100,55 @@ impl AppConfig {
                 version: env!("CARGO_PKG_VERSION").to_string(),
             },
             auth: read_env(JWT_SECRET_ENV).map(|jwt_secret| AuthConfig { jwt_secret }),
+            session_runtime,
+            devbox,
         }
     }
 }
+
+fn read_session_runtime() -> SessionRuntimeMode {
+    match read_env(SESSION_RUNTIME_ENV)
+        .unwrap_or_else(|| "local".to_string())
+        .to_ascii_lowercase()
+        .as_str()
+    {
+        "devbox" => SessionRuntimeMode::Devbox,
+        _ => SessionRuntimeMode::Local,
+    }
+}
+
+fn read_devbox_config(session_runtime: SessionRuntimeMode) -> Option<DevboxConfig> {
+    if session_runtime != SessionRuntimeMode::Devbox {
+        return None;
+    }
+
+    let base_url = read_env(DEVBOX_BASE_URL_ENV).or_else(|| {
+        read_env(SEALOS_HOST_ENV).map(|host| {
+            let normalized = host
+                .trim()
+                .trim_end_matches('/')
+                .trim_start_matches("https://")
+                .trim_start_matches("http://")
+                .to_string();
+            format!("https://devbox-server.{normalized}")
+        })
+    });
+
+    Some(DevboxConfig {
+        base_url: base_url.unwrap_or_default(),
+        namespace: read_env(DEVBOX_NAMESPACE_ENV).unwrap_or_else(|| "ns-test".to_string()),
+        token: read_env(DEVBOX_TOKEN_ENV),
+        jwt_signing_key: read_env(DEVBOX_JWT_SIGNING_KEY_ENV),
+        jwt_ttl_seconds: read_u64(DEVBOX_JWT_TTL_SECONDS_ENV).unwrap_or(4 * 60 * 60),
+        runtime_image: read_env(DEVBOX_RUNTIME_IMAGE_ENV),
+        archive_after_pause_time: read_env(DEVBOX_ARCHIVE_AFTER_PAUSE_TIME_ENV)
+            .unwrap_or_else(|| "24h".to_string()),
+        wait_timeout: Duration::from_secs(read_u64(DEVBOX_WAIT_TIMEOUT_SECONDS_ENV).unwrap_or(60)),
+        gateway_ready_timeout: Duration::from_secs(
+            read_u64(DEVBOX_GATEWAY_READY_TIMEOUT_SECONDS_ENV).unwrap_or(60),
+        ),
+        bootstrap_timeout: Duration::from_secs(
+            read_u64(DEVBOX_BOOTSTRAP_TIMEOUT_SECONDS_ENV).unwrap_or(300),
+        ),
+    })
+}