experiment with ssh

[Kitenite]

• fix(desktop): show base branch in changes view (fix(desktop): show base branch in changes view #557)
• chore(desktop): bump version to 0.0.42 (chore(desktop): bump version to 0.0.42 #564)
• ssh tester

Description

Related Issues

Type of Change

• Bug fix
• New feature
• Documentation
• Refactor
• Other (please describe):

Testing

Screenshots (if applicable)

Additional Notes

Summary by CodeRabbit

• Chores

  • Added SSH test container infrastructure (Ubuntu-based SSH server, test user, port mapping and workspace mount) for authentication and connectivity testing.

• Documentation

  • Added SSH test container README with build/run and password/key-based connection instructions.
  • Added Remote Workspace Agent design document detailing architecture, RPC patterns, transport/SSH considerations, and implementation guidance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an SSH test container (Dockerfile, docker-compose, README) for running an OpenSSH server and a detailed Remote Workspace Agent design doc describing RPC proxies, SSH transport, agent deployment, package layout, and implementation phases.

Changes

Cohort / File(s)	Summary
SSH Test Container ssh-test-container/Dockerfile, ssh-test-container/docker-compose.yml, ssh-test-container/README.md	New Dockerfile (Ubuntu 22.04) installing and configuring OpenSSH server, creating a test user with sudo and password auth for testing, preparing ~/.ssh, exposing port 22. docker-compose.yml adds ssh-server service (host port 2222 → container 22, workspace volume, restart policy). README documents build/run/connect and key-based auth setup.
Remote Workspace Agent Design apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md	New comprehensive design doc covering architecture (desktop core, RPC proxy/server, remote agent), interfaces (IGitOperations, IFileOperations, IWorkspaceOperations), package layout, RPC proxy generation and server registration, SSH transport and agent installation flow, data model/migration notes, security considerations, phased implementation plan, and open questions.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Desktop as Desktop App
  participant Provider as Ops Provider
  participant SSH as SSH Transport
  participant Agent as Remote Agent
  participant RPC as RPC Server
  participant FS as Remote Filesystem

  rect rgba(200,230,255,0.25)
    Desktop->>Provider: request operation (e.g., readFile)
    Provider->>Provider: decide local vs remote
  end

  alt Remote chosen
    rect rgba(220,255,220,0.18)
      Provider->>SSH: open connection & authenticate
      SSH->>Agent: establish channel / forward RPC
      Agent->>RPC: forward RPC call
      RPC->>FS: perform file access
      FS-->>RPC: return file content
      RPC-->>Agent: RPC response
      Agent-->>SSH: send response over transport
      SSH-->>Provider: deliver response
      Provider-->>Desktop: return result
    end
  else Local chosen
    Provider-->>Desktop: invoke local implementation
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇
In a cozy shell I dig and hop,
I tuck a key where connections stop,
A port for guests, a gentle tap,
The agent wakes — the workmaps snap,
Hooray — a burrowed SSH lap.

Pre-merge checks

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete and off-topic, containing unrelated commit messages and leaving template sections empty without substantive details about the actual changes.	Fill in the description with details about the SSH container implementation and remote workspace agent design, select the appropriate change type (Documentation and New Feature), link any related issues, and describe testing steps.
Title check	❓ Inconclusive	The title 'experiment with ssh' is vague and generic, using non-descriptive language that doesn't clearly convey the specific changes in the changeset.	Revise the title to be more specific and descriptive, such as 'Add SSH test container and remote workspace agent architecture' to clearly indicate the main changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Preview Deployment

🔗 Preview Links

Service	Status	Link
Database (Neon)	✅	View Branch
Electric (Fly.io)	✅	View App
API (Vercel)	✅	Open Preview
Web (Vercel)	✅	Open Preview
Marketing (Vercel)	✅	Open Preview
Admin (Vercel)	✅	Open Preview
Docs (Vercel)	✅	Open Preview

---

Preview updates automatically with new commits

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

ssh-test-container/docker-compose.yml (1)

8-10: Simplify key-based authentication setup.

The commented approach of mounting ~/.ssh/id_rsa.pub as authorized_keys is functional but requires users to uncomment, rebuild, and understand file permissions. The manual setup documented in the README (lines 64-68) is complex and error-prone.

Consider providing a startup script that automatically copies keys if present, making the workflow smoother.

🔎 Alternative approach with an entrypoint script

Add an entrypoint script to the Dockerfile:

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/sbin/sshd", "-D"]

Create entrypoint.sh:

#!/bin/bash
# Copy authorized_keys if provided via volume
if [ -f /tmp/authorized_keys ]; then
  cp /tmp/authorized_keys /home/testuser/.ssh/authorized_keys
  chown testuser:testuser /home/testuser/.ssh/authorized_keys
  chmod 600 /home/testuser/.ssh/authorized_keys
fi
exec "$@"

Update docker-compose.yml:

volumes:
  - ~/.ssh/id_rsa.pub:/tmp/authorized_keys:ro
  - ./workspace:/home/testuser/workspace

ssh-test-container/README.md (2)

63-68: Simplify key-based authentication setup.

The manual setup requires users to execute three separate docker commands with correct permissions. This is error-prone and could be streamlined with better tooling or documentation.

Consider adding a setup script or improving the docker-compose workflow as suggested in the docker-compose.yml review comments. Alternatively, document the uncomment approach more clearly:

## Key-Based Auth Setup

**Option 1: Using docker-compose (recommended)**
1. Uncomment the authorized_keys volume mount in `docker-compose.yml`
2. Rebuild: `docker-compose up -d --build`

**Option 2: Manual setup**
```bash
docker cp ~/.ssh/id_rsa.pub superset-ssh-test:/home/testuser/.ssh/authorized_keys
docker exec superset-ssh-test chown testuser:testuser /home/testuser/.ssh/authorized_keys
docker exec superset-ssh-test chmod 600 /home/testuser/.ssh/authorized_keys

---

`70-77`: **Add security warning to connection details.**

The connection details clearly show the password, which is appropriate for documentation. However, consider adding a prominent security warning that this container should only be used in isolated development environments and never exposed to public networks.


<details>
<summary>🔎 Suggested addition</summary>

```diff
 ## Connection Details
+
+> ⚠️ **Security Warning**: This container uses a hardcoded password and should only be used in isolated development environments. Never expose port 2222 to untrusted networks.
 
 | Field    | Value     |

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1bb6aa and 52a6775.

📒 Files selected for processing (3)

• ssh-test-container/Dockerfile
• ssh-test-container/README.md
• ssh-test-container/docker-compose.yml

🧰 Additional context used

🪛 Checkov (3.2.334)

ssh-test-container/Dockerfile

[medium] 15-17: Ensure that 'chpasswd' is not used to set or remove passwords

(CKV2_DOCKER_17)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Deploy API
• GitHub Check: Deploy Marketing
• GitHub Check: Deploy Admin
• GitHub Check: Deploy Web
• GitHub Check: Deploy Docs
• GitHub Check: Build

🔇 Additional comments (3)

ssh-test-container/Dockerfile (2)

23-26: LGTM! Correct permissions for .ssh directory.

The .ssh directory is properly configured with mode 700 and correct ownership, which is essential for SSH key-based authentication to work.

---

19-21: The sed patterns will match Ubuntu 22.04's default sshd_config—no changes needed.

The commented-out lines #PasswordAuthentication yes and #PermitRootLogin prohibit-password are present in Ubuntu 22.04's default /etc/ssh/sshd_config, so the sed commands will work correctly and not fail silently.

Note: Ubuntu 22.04 also loads additional config from /etc/ssh/sshd_config.d/*.conf via the Include directive. If any of those files override these settings (e.g., cloud-init's 50-cloud-init.conf), the sed changes to the main config may be masked, though this is unlikely to be an issue in a test container context.

Likely an incorrect or invalid review comment.

ssh-test-container/docker-compose.yml (1)

11-11: LGTM! Appropriate restart policy for a test container.

The unless-stopped restart policy is suitable for a development/testing environment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Consider documenting the security implications of the hardcoded password.

The hardcoded password "test" is weak and exposes the container to unauthorized access if the port is accidentally exposed to untrusted networks. While acceptable for local testing, consider adding a prominent comment warning that this container should only be used in isolated development environments.

Regarding the Checkov warning about chpasswd usage: For a test container, this approach is acceptable, though you might want to add a comment acknowledging this is intentionally simplified for testing purposes.

🔎 Suggested improvement

-# Create a test user (password: test)
+# Create a test user (password: test)
+# WARNING: This is a test container only. Do not expose port 2222 to untrusted networks.
 RUN useradd -m -s /bin/bash testuser && \
     echo 'testuser:test' | chpasswd && \
     usermod -aG sudo testuser

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Create a test user (password: test)
	RUN useradd -m -s /bin/bash testuser && \
	echo 'testuser:test' | chpasswd && \
	usermod -aG sudo testuser
	# Create a test user (password: test)
	# WARNING: This is a test container only. Do not expose port 2222 to untrusted networks.
	RUN useradd -m -s /bin/bash testuser && \
	echo 'testuser:test' | chpasswd && \
	usermod -aG sudo testuser

🧰 Tools

🪛 Checkov (3.2.334)

[medium] 15-17: Ensure that 'chpasswd' is not used to set or remove passwords

(CKV2_DOCKER_17)

🤖 Prompt for AI Agents

In ssh-test-container/Dockerfile around lines 14 to 17, the Dockerfile creates a
test user with a hardcoded weak password which poses a security risk and
triggers Checkov warnings; add a prominent comment above these lines warning
that this password is intentionally weak and the image is for isolated local
development only, note that chpasswd usage is intentional for testing (to
silence/annotate the Checkov finding), and suggest best-practice alternatives
(e.g., use environment-injected secrets, SSH key auth, or limit exposure by
binding SSH to localhost or not exposing the port) so reviewers know this is
deliberately simplified and should not be used in production.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Remove duplicated code from documentation.

Embedding the complete Dockerfile (lines 6-37) and docker-compose.yml (lines 40-52) content creates a maintenance burden. When the actual files are updated, this documentation will become stale and misleading.

🔎 Proposed refactor

Replace lines 3-52 with a brief overview:

-## Files
-
-### Dockerfile
-```dockerfile
-FROM ubuntu:22.04
-...
-```
-
-### docker-compose.yml
-```yaml
-services:
-...
-```
+## Overview
+
+This SSH test container provides a secure testing environment with:
+- Ubuntu 22.04 base image
+- OpenSSH server configured for both password and key-based authentication
+- Test user `testuser` with sudo privileges
+- Exposed on port 2222 for easy local access
+
+See the `Dockerfile` and `docker-compose.yml` files in this directory for complete configuration details.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	### Dockerfile
	```dockerfile
	FROM ubuntu:22.04
	RUN apt-get update && apt-get install -y \
	openssh-server \
	git \
	curl \
	vim \
	sudo \
	&& rm -rf /var/lib/apt/lists/*
	# Create SSH directory and configure
	RUN mkdir /var/run/sshd
	# Create a test user (password: test)
	RUN useradd -m -s /bin/bash testuser && \
	echo 'testuser:test' | chpasswd && \
	usermod -aG sudo testuser
	# Allow password authentication (for easy testing)
	RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config && \
	sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
	# Create .ssh directory for key-based auth
	RUN mkdir -p /home/testuser/.ssh && \
	chmod 700 /home/testuser/.ssh && \
	chown -R testuser:testuser /home/testuser/.ssh
	EXPOSE 22
	CMD ["/usr/sbin/sshd", "-D"]
	```
	### docker-compose.yml
	```yaml
	services:
	ssh-server:
	build: .
	container_name: superset-ssh-test
	ports:
	- "2222:22"
	volumes:
	# Uncomment to mount your public key for key-based auth
	# - ~/.ssh/id_rsa.pub:/home/testuser/.ssh/authorized_keys:ro
	- ./workspace:/home/testuser/workspace
	restart: unless-stopped
	```
	## Overview
	This SSH test container provides a secure testing environment with:
	- Ubuntu 22.04 base image
	- OpenSSH server configured for both password and key-based authentication
	- Test user `testuser` with sudo privileges
	- Exposed on port 2222 for easy local access
	See the `Dockerfile` and `docker-compose.yml` files in this directory for complete configuration details.

🤖 Prompt for AI Agents

In ssh-test-container/README.md around lines 5 to 52, the README duplicates the
full Dockerfile and docker-compose.yml contents which causes maintenance drift;
remove the embedded Dockerfile and docker-compose.yml blocks and replace them
with a short "Overview" paragraph that lists the key facts (Ubuntu 22.04 base,
OpenSSH server with password/key auth, testuser with sudo, port 2222) and a note
pointing readers to the actual Dockerfile and docker-compose.yml in the
repository for full configuration; ensure any important config highlights remain
in the overview but no full file contents are in the README.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md (2)

37-37: Minor grammatical suggestion: hyphenate compound adjective.

Per the static analysis hint, "Zero Friction Development" modifying the following noun should be hyphenated to "Zero-Friction Development" for consistency with English compound adjective conventions.

---

1722-1733: Use a proper heading instead of emphasis for section labels.

Line 1734 uses bold emphasis (e.g., **Phase**) for what appears to be a table heading. Consider restructuring to use a proper markdown heading (##) above the table to improve document structure and comply with markdown best practices (MD036).

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52a6775 and 23779a2.

📒 Files selected for processing (1)

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: apps/desktop/CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:21.725Z
Learning: Applies to apps/desktop/**/AGENTS.md : Document agent responsibilities, capabilities, and interaction patterns in AGENTS.md

📚 Learning: 2025-11-24T21:32:21.725Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: apps/desktop/CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:21.725Z
Learning: Applies to apps/desktop/**/AGENTS.md : Document agent responsibilities, capabilities, and interaction patterns in AGENTS.md

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

📚 Learning: 2025-11-24T21:32:17.800Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:17.800Z
Learning: Applies to AGENTS.md : Document agent responsibilities and interactions in AGENTS.md

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

📚 Learning: 2025-11-24T21:32:21.725Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: apps/desktop/CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:21.725Z
Learning: Maintain agent documentation including roles, capabilities, and interaction protocols

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

🪛 LanguageTool

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

[uncategorized] ~37-~37: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...l features work on remote machines 2. Zero Friction Development: Adding new features work...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

🪛 markdownlint-cli2 (0.18.1)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

9-9: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

60-60: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

111-111: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

1232-1232: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

1734-1734: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Deploy Admin
• GitHub Check: Deploy API
• GitHub Check: Deploy Marketing
• GitHub Check: Deploy Docs
• GitHub Check: Deploy Web
• GitHub Check: Build

🔇 Additional comments (1)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md (1)

1-1756: Excellent architectural documentation; verify naming convention alignment.

This is comprehensive and well-structured documentation covering the Remote Workspace Agent architecture, design goals, package structure, RPC infrastructure, SSH transport, deployment flow, and developer workflows. The use of diagrams, code examples, and phased implementation guidance is exemplary.

However, the retrieved learnings reference documenting agent patterns in AGENTS.md, while this file is named REMOTE_WORKSPACE_AGENT.md. Verify whether this file should follow the learnings convention or if a separate AGENTS.md file is planned. If this is the intended agent documentation file, ensure the naming aligns with the codebase's documentation conventions.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md (1)

23-23: Add language specifiers to fenced code blocks.

Four code blocks lack language specifiers, which causes markdown linting failures. Add text to each to specify the block contains ASCII/plaintext diagrams.

🔎 Proposed fixes

-```
+```text
 ┌─────────────────────────────────────────────────────────────────────────────┐
 │                           SUPERSET DESKTOP                                  │

Apply the same fix (change ``` to ```text) to lines 56, 105, and 257.

This matches the prior review feedback; addressing these now ensures clean linter compliance.

Also applies to: 56-56, 105-105, 257-257

🧹 Nitpick comments (1)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md (1)

50-50: Simplify "exact same" phrasing.

Line 50 uses "exact same," which is more verbose than necessary. Consider "The agent uses the same localGitOperations as the desktop app."

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23779a2 and 5b9d6e0.

📒 Files selected for processing (1)

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-11-24T21:32:21.725Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: apps/desktop/CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:21.725Z
Learning: Applies to apps/desktop/**/AGENTS.md : Document agent responsibilities, capabilities, and interaction patterns in AGENTS.md

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

📚 Learning: 2025-11-24T21:32:17.800Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:17.800Z
Learning: Applies to AGENTS.md : Document agent responsibilities and interactions in AGENTS.md

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

📚 Learning: 2025-11-24T21:32:21.725Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: apps/desktop/CLAUDE.md:0-0
Timestamp: 2025-11-24T21:32:21.725Z
Learning: Maintain agent documentation including roles, capabilities, and interaction protocols

Applied to files:

• apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

🪛 LanguageTool

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

[style] ~50-~50: ‘exact same’ might be wordy. Consider a shorter alternative.
Context: ...`` Key insight: The agent uses the exact same localGitOperations as the desktop app...

(EN_WORDINESS_PREMIUM_EXACT_SAME)

🪛 markdownlint-cli2 (0.18.1)

apps/desktop/docs/REMOTE_WORKSPACE_AGENT.md

23-23: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

56-56: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

105-105: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

257-257: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Deploy Docs
• GitHub Check: Deploy Marketing
• GitHub Check: Deploy Admin
• GitHub Check: Deploy Web
• GitHub Check: Deploy API
• GitHub Check: Build