Add gRPC insecure mode and node timeouts

Author: richiemcilroy

apps/api/src/auth.ts

@@ -13,6 +13,10 @@ function getResend(resendApiKey: string) {
 
 function createAuth() {
   const env = loadEnv()
+  const authBaseUrl = new URL(env.BETTER_AUTH_BASE_URL)
+  const isLocalAuth =
+    authBaseUrl.hostname === 'localhost' || authBaseUrl.hostname === '127.0.0.1'
+
   return betterAuth({
     baseURL: env.BETTER_AUTH_BASE_URL,
     secret: env.BETTER_AUTH_SECRET,
@@ -28,13 +32,17 @@ function createAuth() {
       },
     },
     advanced: {
-      crossSubDomainCookies: {
-        enabled: true,
-        domain: env.BETTER_AUTH_COOKIE_DOMAIN ?? '.sandchest.com',
-      },
+      ...(isLocalAuth
+        ? {}
+        : {
+            crossSubDomainCookies: {
+              enabled: true,
+              domain: env.BETTER_AUTH_COOKIE_DOMAIN ?? '.sandchest.com',
+            },
+          }),
       defaultCookieAttributes: {
-        sameSite: 'none',
-        secure: true,
+        sameSite: isLocalAuth ? 'lax' : 'none',
+        secure: isLocalAuth ? false : true,
       },
     },
     database: createPool({

apps/api/src/env.test.ts

@@ -66,6 +66,17 @@ describe('loadEnv', () => {
     expect(env.REDIS_URL).toBe('redis://localhost:6379')
   })
 
+  test('NODE_GRPC_INSECURE defaults to false when unset', () => {
+    const env = loadEnv()
+    expect(env.NODE_GRPC_INSECURE).toBe(false)
+  })
+
+  test('reads NODE_GRPC_INSECURE from env when set to 1', () => {
+    process.env.NODE_GRPC_INSECURE = '1'
+    const env = loadEnv()
+    expect(env.NODE_GRPC_INSECURE).toBe(true)
+  })
+
   test('returns undefined for ARTIFACT_BUCKET_NAME when unset', () => {
     const env = loadEnv()
     expect(env.ARTIFACT_BUCKET_NAME).toBeUndefined()

apps/api/src/env.ts

@@ -50,6 +50,7 @@ export function loadEnv() {
     NODE_GRPC_CERT_PATH: process.env.NODE_GRPC_CERT_PATH as string | undefined,
     NODE_GRPC_KEY_PATH: process.env.NODE_GRPC_KEY_PATH as string | undefined,
     NODE_GRPC_CA_PATH: process.env.NODE_GRPC_CA_PATH as string | undefined,
+    NODE_GRPC_INSECURE: process.env.NODE_GRPC_INSECURE === '1',
     // mTLS via PEM content (Fly.io secrets — preferred in production)
     MTLS_CA_PEM: process.env.MTLS_CA_PEM as string | undefined,
     MTLS_CLIENT_CERT_PEM: process.env.MTLS_CLIENT_CERT_PEM as string | undefined,

apps/api/src/index.ts

@@ -67,14 +67,16 @@ const isProduction = env.NODE_ENV === 'production'
 
 const RedisLive = REDIS_URL ? createRedisLayer(REDIS_URL, { family: REDIS_FAMILY }) : RedisMemory
 
-const { NODE_GRPC_ADDR, NODE_GRPC_NODE_ID, NODE_GRPC_CERT_PATH, NODE_GRPC_KEY_PATH, NODE_GRPC_CA_PATH, MTLS_CA_PEM, MTLS_CLIENT_CERT_PEM, MTLS_CLIENT_KEY_PEM } = env
+const { NODE_GRPC_ADDR, NODE_GRPC_NODE_ID, NODE_GRPC_CERT_PATH, NODE_GRPC_KEY_PATH, NODE_GRPC_CA_PATH, NODE_GRPC_INSECURE, MTLS_CA_PEM, MTLS_CLIENT_CERT_PEM, MTLS_CLIENT_KEY_PEM } = env
 const hasPemContent = MTLS_CA_PEM && MTLS_CLIENT_CERT_PEM && MTLS_CLIENT_KEY_PEM
 const hasFilePaths = NODE_GRPC_CERT_PATH && NODE_GRPC_KEY_PATH && NODE_GRPC_CA_PATH
+const hasNodeGrpcConfig = NODE_GRPC_ADDR && NODE_GRPC_NODE_ID && (NODE_GRPC_INSECURE || hasPemContent || hasFilePaths)
 const NodeClientLive =
-  NODE_GRPC_ADDR && NODE_GRPC_NODE_ID && (hasPemContent || hasFilePaths)
+  hasNodeGrpcConfig
     ? createNodeClientLayer({
-        address: NODE_GRPC_ADDR,
-        nodeId: NODE_GRPC_NODE_ID,
+        address: NODE_GRPC_ADDR!,
+        nodeId: NODE_GRPC_NODE_ID!,
+        insecure: NODE_GRPC_INSECURE,
         // Prefer PEM content (Fly.io secrets) over file paths (local dev)
         caPem: MTLS_CA_PEM,
         certPem: MTLS_CLIENT_CERT_PEM,
@@ -156,10 +158,10 @@ const ProductionFallbackWarnings = Layer.scopedDiscard(
       )
     }
 
-    const hasNodeClient = NODE_GRPC_ADDR && NODE_GRPC_NODE_ID && (hasPemContent || hasFilePaths)
+    const hasNodeClient = hasNodeGrpcConfig
     if (!hasNodeClient) {
       yield* Effect.logWarning(
-        'Node gRPC client is not configured — using in-memory stub. Sandbox creation, exec, and session operations will return mock data. Fix: set NODE_GRPC_ADDR, NODE_GRPC_NODE_ID, and mTLS credentials',
+        'Node gRPC client is not configured — using in-memory stub. Sandbox creation, exec, and session operations will return mock data. Fix: set NODE_GRPC_ADDR, NODE_GRPC_NODE_ID, and either NODE_GRPC_INSECURE=1 for localhost or mTLS credentials',
       )
     }
   }),

apps/api/src/routes/files.test.ts

@@ -26,15 +26,16 @@ import { createInMemoryMetricsRepo } from '../services/metrics-repo.memory.js'
 import { ShutdownControllerLive } from '../shutdown.js'
 import { idToBytes } from '@sandchest/contract'
 import { RUN_API_INTEGRATION_TESTS } from '../test-support.js'
+import type { NodeClientApi } from '../services/node-client.js'
 
 const TEST_ORG = 'org_test_123'
 const TEST_USER = 'user_test_456'
 
-function createTestEnv() {
+function createTestEnv(overrides?: { nodeClient?: NodeClientApi }) {
   const sandboxRepo = createInMemorySandboxRepo()
   const execRepo = createInMemoryExecRepo()
   const sessionRepo = createInMemorySessionRepo()
-  const nodeClient = createInMemoryNodeClient()
+  const nodeClient = overrides?.nodeClient ?? createInMemoryNodeClient()
   const redis = createInMemoryRedisApi()
   const artifactRepo = createInMemoryArtifactRepo()
 
@@ -231,6 +232,48 @@ describe.skipIf(!RUN_API_INTEGRATION_TESTS)('PUT /v1/sandboxes/:id/files — upl
 
     expect(result.status).toBe(409)
   })
+
+  test('returns 500 when node putFile times out', async () => {
+    const env = createTestEnv({
+      nodeClient: {
+        ...createInMemoryNodeClient(),
+        putFile: () => Effect.never,
+      },
+    })
+    const sandboxId = await createRunningSandbox(env)
+    const originalTimeout = process.env.NODE_FILE_TIMEOUT_MS
+    process.env.NODE_FILE_TIMEOUT_MS = '10'
+
+    try {
+      const result = await env.runTest(
+        Effect.gen(function* () {
+          const client = yield* HttpClient.HttpClient
+          const response = yield* client.execute(
+            HttpClientRequest.put(
+              `/v1/sandboxes/${sandboxId}/files?path=/work/test.txt`,
+            ).pipe(
+              HttpClientRequest.bodyUint8Array(
+                new TextEncoder().encode('data'),
+                'application/octet-stream',
+              ),
+            ),
+          )
+          const body = yield* response.json
+          return { status: response.status, body: body as { error: string; message: string } }
+        }),
+      )
+
+      expect(result.status).toBe(500)
+      expect(result.body.error).toBe('internal_error')
+      expect(result.body.message).toContain('Node putFile timed out after 10ms')
+    } finally {
+      if (originalTimeout === undefined) {
+        delete process.env.NODE_FILE_TIMEOUT_MS
+      } else {
+        process.env.NODE_FILE_TIMEOUT_MS = originalTimeout
+      }
+    }
+  })
 })
 
 // ---------------------------------------------------------------------------

apps/api/src/routes/files.ts

@@ -1,8 +1,9 @@
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from '@effect/platform'
-import { Effect } from 'effect'
+import { Cause, Effect } from 'effect'
 import { idToBytes } from '@sandchest/contract'
 import type { FileEntry, ListFilesResponse } from '@sandchest/contract'
 import {
+  InternalError,
   NotFoundError,
   SandboxNotRunningError,
   ValidationError,
@@ -15,6 +16,7 @@ import { NodeClient } from '../services/node-client.js'
 const MAX_SINGLE_FILE = 5 * 1024 * 1024 * 1024 // 5 GB
 const MAX_BATCH_FILE = 10 * 1024 * 1024 * 1024 // 10 GB
 const DEFAULT_LIST_LIMIT = 200
+const DEFAULT_NODE_FILE_TIMEOUT_MS = 30_000
 
 function parseSandboxId(idStr: string | undefined) {
   if (!idStr) {
@@ -27,6 +29,40 @@ function parseSandboxId(idStr: string | undefined) {
   }
 }
 
+function resolveNodeFileTimeoutMs(): number {
+  const raw = process.env['NODE_FILE_TIMEOUT_MS']
+  if (!raw) {
+    return DEFAULT_NODE_FILE_TIMEOUT_MS
+  }
+
+  const parsed = Number.parseInt(raw, 10)
+  return Number.isInteger(parsed) && parsed > 0 ? parsed : DEFAULT_NODE_FILE_TIMEOUT_MS
+}
+
+function withNodeFileTimeout<A>(
+  operation: string,
+  effect: Effect.Effect<A, never, never>,
+): Effect.Effect<A, InternalError, never> {
+  const timeoutMs = resolveNodeFileTimeoutMs()
+
+  return effect.pipe(
+    Effect.timeoutFail({
+      duration: `${timeoutMs} millis`,
+      onTimeout: () =>
+        new InternalError({
+          message: `Node ${operation} timed out after ${timeoutMs}ms`,
+        }),
+    }),
+    Effect.catchAllCause((cause) =>
+      Effect.fail(
+        new InternalError({
+          message: `Node ${operation} failed: ${Cause.pretty(cause)}`,
+        }),
+      ),
+    ),
+  )
+}
+
 // -- Upload file -------------------------------------------------------------
 
 const uploadFile = Effect.gen(function* () {
@@ -77,11 +113,14 @@ const uploadFile = Effect.gen(function* () {
     )
   }
 
-  const result = yield* nodeClient.putFile({
-    sandboxId: sandboxIdBytes,
-    path,
-    data,
-  })
+  const result = yield* withNodeFileTimeout(
+    'putFile',
+    nodeClient.putFile({
+      sandboxId: sandboxIdBytes,
+      path,
+      data,
+    }),
+  )
 
   return HttpServerResponse.unsafeJson({
     path,
@@ -136,10 +175,13 @@ const downloadOrListFiles = Effect.gen(function* () {
       )
     }
 
-    const entries = yield* nodeClient.listFiles({
-      sandboxId: sandboxIdBytes,
-      path,
-    })
+    const entries = yield* withNodeFileTimeout(
+      'listFiles',
+      nodeClient.listFiles({
+        sandboxId: sandboxIdBytes,
+        path,
+      }),
+    )
 
     // Apply cursor-based pagination
     let startIdx = 0
@@ -167,10 +209,13 @@ const downloadOrListFiles = Effect.gen(function* () {
   }
 
   // File download
-  const data = yield* nodeClient.getFile({
-    sandboxId: sandboxIdBytes,
-    path,
-  })
+  const data = yield* withNodeFileTimeout(
+    'getFile',
+    nodeClient.getFile({
+      sandboxId: sandboxIdBytes,
+      path,
+    }),
+  )
 
   return HttpServerResponse.uint8Array(data, {
     contentType: 'application/octet-stream',
@@ -216,10 +261,13 @@ const deleteFile = Effect.gen(function* () {
     return yield* Effect.fail(new ValidationError({ message: 'path query parameter is required' }))
   }
 
-  yield* nodeClient.deleteFile({
-    sandboxId: sandboxIdBytes,
-    path,
-  })
+  yield* withNodeFileTimeout(
+    'deleteFile',
+    nodeClient.deleteFile({
+      sandboxId: sandboxIdBytes,
+      path,
+    }),
+  )
 
   return HttpServerResponse.unsafeJson({ ok: true })
 })