feat: wire port exposure WebSocket proxy + MCP gateway lifecycle

apps/control-plane/src/app.ts

@@ -74,7 +74,7 @@
 import { registerWorkerWebSocket } from './routes/worker-ws.js';
 import { healthRoute } from './routes/health.js';
 import { createMcpRoutes } from './routes/mcp.js';
-import { createExposeRoutes } from './routes/expose.js';
+import { createExposeRoutes, generateExposedUrls } from './routes/expose.js';
 import {
   createEnrollmentRoutes,
   createEnrollmentStore,
@@ -1357,7 +1357,7 @@
         TRIGGER_TYPE: event.type,
         GITHUB_REPO: event.repo,
         GITHUB_SENDER: event.sender,
       };
 
       if (event.type === 'mention') {
         envVars['GITHUB_COMMAND'] = event.command;
@@ -1930,6 +1930,7 @@
 
   const exposeRoutes = createExposeRoutes({
     sessionStore,
+    ...(deps.upgradeWebSocket ? { upgradeWebSocket: deps.upgradeWebSocket } : {}),
   });
   app.route('/', exposeRoutes);
 
@@ -2043,8 +2044,13 @@
   sessionId: string,
   request: Parameters<WorkerClient['createSession']>[1],
 ): void {
+  // Freeze exposed port URLs at dispatch time — URLs are available immediately
+  const expose = request.network?.expose ?? [];
+  const exposedPorts = expose.length > 0 ? generateExposedUrls(sessionId, expose) : undefined;
+
   sessionStore.updateStatus(sessionId, 'running', {
     startedAt: new Date().toISOString(),
+    ...(exposedPorts ? { exposedPorts } : {}),
   });
 
   void (async () => {

apps/control-plane/src/routes/expose.ts

@@ -1,5 +1,6 @@
 import { createRoute, z } from '@hono/zod-openapi';
 import { OpenAPIHono } from '@hono/zod-openapi';
+import type { UpgradeWebSocket } from 'hono/ws';
 import { createLogger } from '@paws/logger';
 import type { SessionStore } from '@paws/domain-session';
 
@@ -13,6 +14,8 @@ export interface ExposeDeps {
   sessionStore: SessionStore;
   /** Base domain for session URLs (e.g. "fleet.tpops.dev") */
   fleetDomain?: string;
+  /** WebSocket upgrade function (needed for WS proxying to VMs) */
+  upgradeWebSocket?: UpgradeWebSocket;
 }
 
 // ---------------------------------------------------------------------------
@@ -22,7 +25,12 @@ export interface ExposeDeps {
 /** Generate exposed port URLs for a session */
 export function generateExposedUrls(
   sessionId: string,
-  expose: Array<{ port: number; label?: string; access?: string; pathPrefix?: string }>,
+  expose: Array<{
+    port: number;
+    label?: string | undefined;
+    access?: string | undefined;
+    pathPrefix?: string | undefined;
+  }>,
   fleetDomain?: string,
 ): Array<{ port: number; url: string; label?: string; access?: string; pin?: string }> {
   const baseUrl = fleetDomain ?? 'localhost:3000';
@@ -76,6 +84,28 @@ const exposeHealthRoute = createRoute({
   },
 });
 
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Resolve which exposed port to proxy to based on the request path */
+function resolvePort(
+  path: string,
+  expose: Array<{ port: number; pathPrefix?: string }>,
+): number | undefined {
+  if (expose.length === 0) return undefined;
+
+  // Try path-prefix matching first (longest match wins)
+  const withPrefix = expose
+    .filter((e) => e.pathPrefix && e.pathPrefix !== '/' && path.startsWith(e.pathPrefix))
+    .sort((a, b) => (b.pathPrefix?.length ?? 0) - (a.pathPrefix?.length ?? 0));
+
+  if (withPrefix.length > 0) return withPrefix[0]!.port;
+
+  // Default to the first exposed port
+  return expose[0]!.port;
+}
+
 // ---------------------------------------------------------------------------
 // Factory
 // ---------------------------------------------------------------------------
@@ -109,6 +139,124 @@ export function createExposeRoutes(deps: ExposeDeps) {
     }
   });
 
+  // WebSocket proxy: /s/:sessionId/ws/* → worker WS proxy → VM
+  if (deps.upgradeWebSocket) {
+    const upgradeWs = deps.upgradeWebSocket;
+
+    app.get(
+      '/s/:sessionId/ws/*',
+      upgradeWs((c) => {
+        const sessionId = c.req.param('sessionId')!;
+
+        const session = sessionStore.get(sessionId);
+        if (!session || session.status !== 'running') {
+          return {
+            onOpen(_evt, ws) {
+              ws.close(4004, 'Session not found or not running');
+            },
+          };
+        }
+
+        const expose = session.request.network?.expose ?? [];
+        if (expose.length === 0) {
+          return {
+            onOpen(_evt, ws) {
+              ws.close(4003, 'No ports exposed');
+            },
+          };
+        }
+
+        const workerUrl = session.worker;
+        if (!workerUrl) {
+          return {
+            onOpen(_evt, ws) {
+              ws.close(4502, 'No worker assigned');
+            },
+          };
+        }
+
+        const prefix = `/s/${sessionId}/ws`;
+        const remainingPath = c.req.path.slice(prefix.length) || '/';
+        const queryString = new URL(c.req.url).search;
+        const targetPort = resolvePort(remainingPath, expose);
+
+        if (!targetPort) {
+          return {
+            onOpen(_evt, ws) {
+              ws.close(4003, 'Port not exposed');
+            },
+          };
+        }
+
+        // Convert worker HTTP URL to WS URL for the worker's WS proxy endpoint
+        const workerWsUrl = workerUrl.replace(/^http:/, 'ws:').replace(/^https:/, 'wss:');
+        const backendUrl = `${workerWsUrl}/v1/sessions/${sessionId}/proxy/${targetPort}/ws${remainingPath}${queryString}`;
+
+        let backendWs: WebSocket | null = null;
+
+        return {
+          onOpen(_evt, clientWs) {
+            log.debug('WebSocket proxy opening', {
+              sessionId,
+              port: targetPort,
+              backend: backendUrl,
+            });
+
+            backendWs = new WebSocket(backendUrl);
+
+            backendWs.addEventListener('open', () => {
+              log.debug('Backend WebSocket connected', { sessionId, port: targetPort });
+            });
+
+            backendWs.addEventListener('message', (evt) => {
+              try {
+                if (typeof evt.data === 'string') {
+                  clientWs.send(evt.data);
+                } else if (evt.data instanceof ArrayBuffer) {
+                  clientWs.send(new Uint8Array(evt.data));
+                }
+              } catch {
+                // Client disconnected
+              }
+            });
+
+            backendWs.addEventListener('close', (evt) => {
+              clientWs.close(evt.code, evt.reason);
+            });
+
+            backendWs.addEventListener('error', () => {
+              clientWs.close(4502, 'Backend connection failed');
+            });
+          },
+
+          onMessage(evt, _ws) {
+            if (backendWs?.readyState === WebSocket.OPEN) {
+              if (typeof evt.data === 'string') {
+                backendWs.send(evt.data);
+              } else if (evt.data instanceof ArrayBuffer) {
+                backendWs.send(evt.data);
+              }
+            }
+          },
+
+          onClose(_evt, _ws) {
+            if (backendWs && backendWs.readyState !== WebSocket.CLOSED) {
+              backendWs.close();
+            }
+            backendWs = null;
+          },
+
+          onError(_evt, _ws) {
+            if (backendWs && backendWs.readyState !== WebSocket.CLOSED) {
+              backendWs.close();
+            }
+            backendWs = null;
+          },
+        };
+      }),
+    );
+  }
+
   // Catch-all reverse proxy: /s/:sessionId/* → worker → VM
   app.all('/s/:sessionId/*', async (c) => {
     const sessionId = c.req.param('sessionId');
@@ -128,17 +276,20 @@ export function createExposeRoutes(deps: ExposeDeps) {
     // Strip /s/:sessionId prefix to get the remaining path
     const prefix = `/s/${sessionId}`;
     const remainingPath = c.req.path.slice(prefix.length) || '/';
+    const queryString = new URL(c.req.url).search;
 
-    // Default to first exposed port (path-based routing is a future enhancement)
-    const targetPort = expose[0]!.port;
+    const targetPort = resolvePort(remainingPath, expose);
+    if (!targetPort) {
+      return c.text('Port not exposed', 403);
+    }
 
     // Forward to worker
     const workerUrl = session.worker;
     if (!workerUrl) {
       return c.text('No worker assigned to session', 502);
     }
 
-    const targetUrl = `${workerUrl}/v1/sessions/${sessionId}/proxy/${targetPort}${remainingPath}`;
+    const targetUrl = `${workerUrl}/v1/sessions/${sessionId}/proxy/${targetPort}${remainingPath}${queryString}`;
 
     log.debug('Proxying to worker', {
       sessionId,
@@ -170,9 +321,6 @@ export function createExposeRoutes(deps: ExposeDeps) {
     }
   });
 
-  // Subdomain-based routing middleware (optional, applied at app level)
-  // Extracts session ID from Host header: s-abc123.fleet.tpops.dev → sessionId=abc123
-
   return app;
 }
 

apps/worker/src/routes.ts

@@ -1,6 +1,7 @@
 import { randomUUID } from 'node:crypto';
 
 import { Hono } from 'hono';
+import type { UpgradeWebSocket } from 'hono/ws';
 import { createLogger } from '@paws/logger';
 import { tracingMiddleware } from '@paws/telemetry';
 import { BrowserActionSchema } from '@paws/domain-browser';
@@ -21,6 +22,8 @@ export interface AppDeps {
   syncLoop?: SyncLoop | undefined;
   /** Config for snapshot builder (optional — needed for build endpoint) */
   snapshotBuilderConfig?: SnapshotBuilderConfig | undefined;
+  /** WebSocket upgrade function (needed for WS proxy to VMs) */
+  upgradeWebSocket?: UpgradeWebSocket | undefined;
 }
 
 const log = createLogger('routes');
@@ -551,7 +554,7 @@ const ws = require('ws');
   });
 
   // --- Inbound proxy (VM port exposure) ---
-  registerProxyRoutes(app, executor);
+  registerProxyRoutes(app, executor, deps.upgradeWebSocket);
 
   return app;
 }