|
| 1 | +# Cursor Rules |
| 2 | + |
| 3 | +This project is called "Coder" - an application for managing remote development environments. |
| 4 | + |
| 5 | +Coder provides a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience. |
| 6 | + |
| 7 | +# Core Architecture |
| 8 | + |
| 9 | +The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure. |
| 10 | + |
| 11 | +The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory. |
| 12 | + |
| 13 | +The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files. |
| 14 | + |
| 15 | +# API Design |
| 16 | + |
| 17 | +Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations. |
| 18 | + |
| 19 | +Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications. |
| 20 | + |
| 21 | +# Network Architecture |
| 22 | + |
| 23 | +Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations. |
| 24 | + |
| 25 | +## Tailnet and DERP System |
| 26 | + |
| 27 | +The networking system has three key components: |
| 28 | + |
| 29 | +1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents. |
| 30 | + |
| 31 | +2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options: |
| 32 | + - A built-in DERP server that runs on the Coder control plane |
| 33 | + - Integration with Tailscale's global DERP infrastructure |
| 34 | + - Support for custom DERP servers for lower latency or offline deployments |
| 35 | + |
| 36 | +3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports. |
| 37 | + |
| 38 | +## Workspace Proxies |
| 39 | + |
| 40 | +Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics: |
| 41 | + |
| 42 | +- Deployed as independent servers that authenticate with the Coder control plane |
| 43 | +- Relay connections for SSH, workspace apps, port forwarding, and web terminals |
| 44 | +- Do not make direct database connections |
| 45 | +- Managed through the `coder wsproxy` commands |
| 46 | +- Implemented primarily in the `enterprise/wsproxy/` package |
| 47 | + |
| 48 | +# Agent System |
| 49 | + |
| 50 | +The workspace agent runs within each provisioned workspace and provides core functionality including: |
| 51 | +- SSH access to workspaces via the `agentssh` package |
| 52 | +- Port forwarding |
| 53 | +- Terminal connectivity via the `pty` package for pseudo-terminal support |
| 54 | +- Application serving |
| 55 | +- Healthcheck monitoring |
| 56 | +- Resource usage reporting |
| 57 | + |
| 58 | +Agents communicate with the control plane using the tailnet system and authenticate using secure tokens. |
| 59 | + |
| 60 | +# Workspace Applications |
| 61 | + |
| 62 | +Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports: |
| 63 | + |
| 64 | +- HTTP(S) and WebSocket connections |
| 65 | +- Path-based or subdomain-based access URLs |
| 66 | +- Health checks to monitor application availability |
| 67 | +- Different sharing levels (owner-only, authenticated users, or public) |
| 68 | +- Custom icons and display settings |
| 69 | + |
| 70 | +The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state. |
| 71 | + |
| 72 | +# Implementation Details |
| 73 | + |
| 74 | +The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage. |
| 75 | + |
| 76 | +Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources. |
| 77 | + |
| 78 | +# Authorization System |
| 79 | + |
| 80 | +The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security. |
| 81 | + |
| 82 | +# Testing Framework |
| 83 | + |
| 84 | +The codebase has a comprehensive testing approach with several key components: |
| 85 | + |
| 86 | +1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions. |
| 87 | + |
| 88 | +2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components. |
| 89 | + |
| 90 | +3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity. |
| 91 | + |
| 92 | +4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package. |
| 93 | + |
| 94 | +# Open Source and Enterprise Components |
| 95 | + |
| 96 | +The repository contains both open source and enterprise components: |
| 97 | + |
| 98 | +- Enterprise code lives primarily in the `enterprise/` directory |
| 99 | +- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies |
| 100 | +- The boundary between open source and enterprise is managed through a licensing system |
| 101 | +- The same core codebase supports both editions, with enterprise features conditionally enabled |
| 102 | + |
| 103 | +# Development Philosophy |
| 104 | + |
| 105 | +Coder emphasizes clear error handling, with specific patterns required: |
| 106 | +- Concise error messages that avoid phrases like "failed to" |
| 107 | +- Wrapping errors with `%w` to maintain error chains |
| 108 | +- Using sentinel errors with the "err" prefix (e.g., `errNotFound`) |
| 109 | + |
| 110 | +All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality. |
| 111 | + |
| 112 | +Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`. |
| 113 | + |
| 114 | +# Development Workflow |
| 115 | + |
| 116 | +Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes. |
| 117 | + |
| 118 | +If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application. |
| 119 | + |
| 120 | +Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables. |
| 121 | + |
| 122 | +The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable. |
0 commit comments