Skip to content

Use device-flow host enrollment#35

Draft
adit-chandra wants to merge 4 commits into
mainfrom
adit/device-flow-host-enrollment
Draft

Use device-flow host enrollment#35
adit-chandra wants to merge 4 commits into
mainfrom
adit/device-flow-host-enrollment

Conversation

@adit-chandra

@adit-chandra adit-chandra commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • replace the loopback callback listener with a hosted approval + device polling flow
  • generate and stage host credentials locally, then register only the credential hash/prefix after approval
  • target enrollment endpoints at the runtime API base (PROMPTLESS_API_BASE_URL, default https://api.gopromptless.ai) — the worker base only serves healthz/policy/check-ins and its ALB does not route enrollment paths
  • drive the wait loop off the credential-registration endpoint (it doubles as poll: pending/expired passthrough, registers on approval, idempotent for the same hash) — the client never touches the legacy mint-on-poll endpoint
  • classify HTTP failures via parsed detail.code: conflict/revoked/unknown-session drop the pending session for a fresh enrollment next run; 5xx/network errors retry until the deadline
  • run the entire enrollment flow (resume included) under the leader lock; discard malformed persisted state instead of erroring every session start
  • distinguish deliberate browser opt-out from launch failure; shrink the SessionStart hook timeout 390s → 150s
  • bump the managed host runtime to 0.3.0

Dependency

Validation

  • uv run pytest (151 passed; bootstrap tests run the real script against a two-server fake control plane whose worker base 404s enrollment paths like the prod ALB)
  • uv run ruff check .
  • python3.9 -m py_compile of the host-runtime script
  • Coverage now includes: two-run resume with exactly one device session, register-driven pending/expired/conflict/5xx paths, a real credential-leak guard, and a 0.2.0-format stored-credential reuse test proving already-enrolled hosts never re-enroll

- Target device-session creation and credential registration at the hosted
  runtime API (new PROMPTLESS_API_BASE_URL, default api.gopromptless.ai);
  the worker base URL only serves healthz, policy, and check-ins, and its
  ALB does not route enrollment paths.
- Replace the legacy poll loop with a register-driven wait: the credential
  endpoint doubles as the approval poll, so the legacy mint-on-poll exchange
  can never consume a device-flow session out from under the client.
- Classify HTTP failures (new BootstrapHttpError with parsed detail.code):
  conflict/revoked/unknown-session responses drop the pending session so the
  next run enrolls fresh; 5xx and network errors retry until the deadline.
- Run the whole enrollment flow, resume included, under the leader lock so
  concurrent session starts can never open duplicate approval tabs.
- Discard malformed persisted pending sessions instead of erroring every
  session start; derive the credential URL at rehydrate instead of persisting.
- Distinguish deliberate browser opt-out (browser_open_disabled) from launch
  failure; mention promptless-host-runtime enroll in pending guidance; shrink
  the hook timeout to 150s to fit the callback-free flow.
- Rework tests around a two-server fake control plane (worker 404s
  enrollment paths like the prod ALB); add resume, conflict, transient-error,
  leak-guard, and 0.2.0 credential-reuse coverage.
…-enrollment

# Conflicts:
#	src/promptless_instruction_hub/managed_runtime_assets/host-enrollment/promptless-host-runtime
#	tests/test_managed_bootstrap.py
…-enrollment

# Conflicts:
#	src/promptless_instruction_hub/managed_runtime.py
#	src/promptless_instruction_hub/managed_runtime_assets/host-enrollment/promptless-host-runtime
#	tests/test_managed_bootstrap.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant