Skip to content

devboxes support (no API Key) #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
scott-cotton merged 8 commits into from
Dec 5, 2025
Merged

devboxes support (no API Key) #277

scott-cotton merged 8 commits into from
Dec 5, 2025

Conversation

@scott-cotton
Copy link
Member

@scott-cotton scott-cotton commented Dec 3, 2025
edited
Loading

Depends on signadot/go-sdk#75
And depends on https://github.com/signadot/signadot/pull/6388 for sandbox apply, local override, traffic record

stacked on #276

Summary

Adds devbox support for user authentication via bearer token

Key Changes

New Devbox Commands

  • signadot devbox register - Register a new devbox with optional name and claim flags
  • signadot devbox list - List devboxes (with --all flag to show all devboxes)
  • signadot devbox delete - Delete a devbox (immediate deletion, no wait flags)

Devbox Session Management

  • Session Manager (internal/devbox/session_manager.go) - Manages devbox session lifecycle with automatic renewal
  • ID Persistence - Devbox IDs are cached locally in ~/.signadot/.devbox-id to avoid re-registration
  • Bearer Token Support - Session manager works with bearer tokens. API Keys will require another api PR.
  • Session Claiming - Support for claiming/releasing devbox sessions

Release Detection in Sandbox Manager

  • Release Detection - The sandbox manager (sbmgr) monitors devbox session status and detects when a session is released by another process
  • Deadend State - When release is detected, sbmgr enters a "deadend" state where it:
    • Shuts down the root manager (tunnel, localnet, etchosts)
    • Stops all active work (sandbox watcher, port forwarding, control plane proxy)
    • Keeps the gRPC server running so signadot local status can report the released state
    • Waits indefinitely until the process is killed externally
  • Status Reporting - signadot local status displays devbox session health, including when a session has been released, showing the error reason and timestamp

Integration Updates

  • Local Connect - Now automatically registers/retrieves devbox ID and session ID, passing them to locald
  • Sandbox Apply - Updated to use devbox ID instead of machine ID for local sandboxes
  • Local Override - Adapted to use devbox ID
  • Traffic Record - Updated to include devbox ID in instrumentation

Protocol & Status Updates

  • Added DevboxSessionStatus proto message with health, release status, and error tracking
  • Updated sandbox manager to monitor devbox session status and detect session releases
  • Added released detection plumbing in sandbox manager

Configuration

  • New Devbox config struct with sub-configs for list, register, and delete commands
  • ConnectInvocationConfig now includes DevboxID and DevboxSessionID fields

Technical Details

  • 30 files changed: 2,415 insertions(+), 407 deletions(-)
  • Devbox registration uses machine ID and hostname and optional user provided name to replace the hostname for identification
  • Session manager handles auth token refresh automatically
  • shouldn't break anything other than local workloads/connect with API Key. but needs more thorough testing.
  • Release detection occurs during session renewal attempts - if the session ID no longer matches or the session is not found, sbmgr detects the release and enters deadend state

Testing Notes

  • Devbox commands require API access for registration/listing/deletion via bearer token
  • Session management works with bearer token authentication
  • signadot local status shows devbox session status including release detection
  • When a devbox session is released, sbmgr gracefully shuts down active components while maintaining status reporting capability
  • sandbox apply creates an associated sandbox which is subsequently connected to the local connect session.
  • registration with --name does not overwrite ~/.signadot/.devbox-id but does create a new devbox
  • devbox list
  • devbox delete (also when .devbox-id is contains the devbox id)
  • local connect with and without .devbox-id and with and without --name

Known TODOS

Aside from API Key support, this requires some additional cleanup of the grpc protos -- removing RegisterSandbox.
Another round of sdk update for labels vs idmeta to be ironed out in a subsequent iteration.

@scott-cotton
checkpoint local connect with devboxes
fced3b0
@scott-cotton
plumbing status and released detection
1da2e4e
@scott-cotton
add released detection in sbmgr
c37fcf5 
fixed devbox list
added devbox delete
adapted sandbox apply
adapted local override
adapted traffic record
daniel-de-vera
daniel-de-vera reviewed Dec 4, 2025
View reviewed changes
daniel-de-vera
daniel-de-vera reviewed Dec 4, 2025
View reviewed changes
daniel-de-vera
daniel-de-vera reviewed Dec 4, 2025
View reviewed changes
daniel-de-vera
daniel-de-vera reviewed Dec 4, 2025
View reviewed changes
internal/devbox/session_manager.go
return dsm, nil
}

func createAPIClient(ciConfig *config.ConnectInvocationConfig, authInfo *auth.ResolvedAuth) (*client.SignadotAPI, error) {
Copy link
Contributor

@daniel-de-vera daniel-de-vera Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't we use the normal API client and we need a custom one? (note that we do auth refresh in the regular one)

Copy link
Member Author

@scott-cotton scott-cotton Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. The normal API client only refreshes tokens for KeyringAuthSource (line 94 in api.go), not PlainTextAuthSource, even
    though refreshKeyringAuth() supports both.
  2. The normal API client requires OrgName upfront (line 85-87), which may not be available initially.
  3. The normal API client doesn't support fallback to ciConfig.APIKey.

this was put in devbox pkg to isolate the changes without introducing a new refactoring.

Copy link
Member Author

@scott-cotton scott-cotton Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably should refactor to fix the bug in the original in 1...

Copy link
Contributor

@daniel-de-vera daniel-de-vera Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to do that later on a separate PR, I'm fine with it.

daniel-de-vera
daniel-de-vera approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@daniel-de-vera daniel-de-vera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@scott-cotton scott-cotton merged commit 659be3e into add-skeleton-devbox Dec 5, 2025
@scott-cotton scott-cotton deleted the devbox-no-api-key branch December 5, 2025 12:18
scott-cotton added a commit that referenced this pull request Dec 5, 2025
@davixcky @scott-cotton
add skeleton for devbox (#275)
72705a5 
* add skeleton for devbox

* devboxes support (no API Key) (#277)

* checkpoint local connect with devboxes

* plumbing status and released detection

* add released detection in sbmgr
fixed devbox list
added devbox delete
adapted sandbox apply
adapted local override
adapted traffic record

* misc fixes to list, register

* incorporate api key changes and merged metadata field

* use ValidateSession

* nilness-uniformity

* CR:

- local connect --devbox
- nilness in sbmgr
- using local status in override

* use go-sdk w/ devbox support on its main branch

---------

Co-authored-by: Scott Cotton <scott@signadot.com>
Co-authored-by: Scott Cotton <scott@mindowl.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-de-vera daniel-de-vera daniel-de-vera approved these changes

@davixcky davixcky Awaiting requested review from davixcky

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scott-cotton @daniel-de-vera