feat: #1686 add Display tab unavailable state #1701

Merged

hongming merged 2 commits from feat/1686-display-unavailable into main 2026-05-23 06:15:52 +00:00

Conversation 4 Commits 2 Files Changed 9

+273 -7

hongming commented 2026-05-23 05:42:37 +00:00

Owner

Copy Link

Copy Source

Summary

Follow-up to #1686 Track B groundwork after #1695 merged.

• Adds admin-gated GET /workspaces/:id/display.
• Returns the explicit non-display unavailable shape for workspaces without compute.display.mode:

  {"available": false, "reason": "display_not_enabled"}
  

• Adds a Canvas Display workspace-panel tab that fetches the endpoint only when the tab is opened.
• Shows Display is not enabled for this workspace. for normal non-display workspaces.

Scope

This is intentionally only the unavailable/product-surface slice. It does not provision DCV, create display sessions, expose raw credentials, or implement desktop-control sidecar tooling.

Trust Boundary

The display endpoint is admin-gated from the first version because a later implementation will return short-lived proxied display-session URLs. The current response does not expose raw DCV/VNC/RDP credentials.

Branch Coverage Ledger

• WorkspaceHandler.Display: empty {} compute returns available:false/reason:display_not_enabled -> TestWorkspaceDisplay_NonDisplayWorkspaceReturnsUnavailable.
• SidePanel: tab registry includes Display and preserves ARIA tab behavior -> SidePanel.tabs.test.tsx.
• DisplayTab: non-display endpoint response renders unavailable copy and calls endpoint only when the component mounts -> DisplayTab.test.tsx.

Comprehensive testing performed

• Focused backend handler test for the new display endpoint.
• Touched backend packages: handlers and router.
• Full workspace-server Go suite.
• Focused Canvas tab/component tests.
• Canvas topology regression test to ensure workspace node mapping remains stable.
• Canvas production build for type/lint/build coverage.

Local-postgres E2E run

Pending / not run locally: Docker is not running on this Mac, so I did not boot local Postgres/Redis or apply migrations against a live DB. This PR has no new migration, but it does touch workspace-server routing/handler code, so a reviewer may require isolated-host Stage A before merge.

Staging-smoke verified or pending

Pending post-merge or reviewer-run staging smoke. Local verification covers the route/component behavior; no staging tenant deploy has been performed from this branch.

Root-cause not symptom

Root cause: #1686 Track A persisted compute.display, but Canvas had no Display tab and core had no display-status endpoint, so non-display workspaces could not show the explicit unavailable state requested in the issue.

Five-Axis review walked

Correctness: no Required findings. The endpoint returns the issue-specified unavailable shape and the Canvas tab calls it lazily by being rendered only for panelTab === "display".

Readability/simplicity: no Required findings. The new component is isolated and uses the existing api.get helper.

Architecture: no Required findings. This keeps display session infrastructure out of this PR and leaves future DCV/session URL wiring behind the same endpoint.

Security: no Required findings. Endpoint is admin-gated before any future sensitive URL shape exists.

Performance: no Required findings. One GET only when the Display tab opens; no background polling or panel-wide eager fetch.

No backwards-compat shim / dead code added

No backwards-compat shim or dead code added. Existing workspaces without compute.display.mode receive the explicit display_not_enabled response and the Canvas tab handles that as the normal default.

Memory/saved-feedback consulted

No saved memory was consulted for this slice; I used the live issue/PR context and current repository code. The applicable standing feedback was the dev SOP and local coding/testing discipline already reflected in this PR body.

Verification

• go test ./internal/handlers -run 'TestWorkspaceDisplay|TestValidateWorkspaceCompute'
• go test ./internal/handlers ./internal/router
• go test ./... from workspace-server/
• npm test -- --run src/components/__tests__/SidePanel.tabs.test.tsx src/components/tabs/__tests__/DisplayTab.test.tsx
• npm test -- --run src/components/__tests__/SidePanel.tabs.test.tsx src/components/tabs/__tests__/DisplayTab.test.tsx src/store/__tests__/canvas-topology.test.ts
• npm run build from canvas/

SOP Stage A Status

Local live Docker/Postgres Stage A is still not run on this Mac because Docker is not running here. This PR should get the isolated host Stage A check before merge if reviewers require the full backend SOP gate.

## Summary Follow-up to #1686 Track B groundwork after #1695 merged. - Adds admin-gated `GET /workspaces/:id/display`. - Returns the explicit non-display unavailable shape for workspaces without `compute.display.mode`: ```json {"available": false, "reason": "display_not_enabled"} ``` - Adds a Canvas `Display` workspace-panel tab that fetches the endpoint only when the tab is opened. - Shows `Display is not enabled for this workspace.` for normal non-display workspaces. ## Scope This is intentionally only the unavailable/product-surface slice. It does not provision DCV, create display sessions, expose raw credentials, or implement desktop-control sidecar tooling. ## Trust Boundary The display endpoint is admin-gated from the first version because a later implementation will return short-lived proxied display-session URLs. The current response does not expose raw DCV/VNC/RDP credentials. ## Branch Coverage Ledger - `WorkspaceHandler.Display`: empty `{}` compute returns `available:false/reason:display_not_enabled` -> `TestWorkspaceDisplay_NonDisplayWorkspaceReturnsUnavailable`. - `SidePanel`: tab registry includes Display and preserves ARIA tab behavior -> `SidePanel.tabs.test.tsx`. - `DisplayTab`: non-display endpoint response renders unavailable copy and calls endpoint only when the component mounts -> `DisplayTab.test.tsx`. ## Comprehensive testing performed - Focused backend handler test for the new display endpoint. - Touched backend packages: handlers and router. - Full workspace-server Go suite. - Focused Canvas tab/component tests. - Canvas topology regression test to ensure workspace node mapping remains stable. - Canvas production build for type/lint/build coverage. ## Local-postgres E2E run Pending / not run locally: Docker is not running on this Mac, so I did not boot local Postgres/Redis or apply migrations against a live DB. This PR has no new migration, but it does touch workspace-server routing/handler code, so a reviewer may require isolated-host Stage A before merge. ## Staging-smoke verified or pending Pending post-merge or reviewer-run staging smoke. Local verification covers the route/component behavior; no staging tenant deploy has been performed from this branch. ## Root-cause not symptom Root cause: #1686 Track A persisted `compute.display`, but Canvas had no Display tab and core had no display-status endpoint, so non-display workspaces could not show the explicit unavailable state requested in the issue. ## Five-Axis review walked Correctness: no Required findings. The endpoint returns the issue-specified unavailable shape and the Canvas tab calls it lazily by being rendered only for `panelTab === "display"`. Readability/simplicity: no Required findings. The new component is isolated and uses the existing `api.get` helper. Architecture: no Required findings. This keeps display session infrastructure out of this PR and leaves future DCV/session URL wiring behind the same endpoint. Security: no Required findings. Endpoint is admin-gated before any future sensitive URL shape exists. Performance: no Required findings. One GET only when the Display tab opens; no background polling or panel-wide eager fetch. ## No backwards-compat shim / dead code added No backwards-compat shim or dead code added. Existing workspaces without `compute.display.mode` receive the explicit `display_not_enabled` response and the Canvas tab handles that as the normal default. ## Memory/saved-feedback consulted No saved memory was consulted for this slice; I used the live issue/PR context and current repository code. The applicable standing feedback was the dev SOP and local coding/testing discipline already reflected in this PR body. ## Verification - `go test ./internal/handlers -run 'TestWorkspaceDisplay|TestValidateWorkspaceCompute'` - `go test ./internal/handlers ./internal/router` - `go test ./...` from `workspace-server/` - `npm test -- --run src/components/__tests__/SidePanel.tabs.test.tsx src/components/tabs/__tests__/DisplayTab.test.tsx` - `npm test -- --run src/components/__tests__/SidePanel.tabs.test.tsx src/components/tabs/__tests__/DisplayTab.test.tsx src/store/__tests__/canvas-topology.test.ts` - `npm run build` from `canvas/` ## SOP Stage A Status Local live Docker/Postgres Stage A is still not run on this Mac because Docker is not running here. This PR should get the isolated host Stage A check before merge if reviewers require the full backend SOP gate.

hongming added 1 commit 2026-05-23 05:42:37 +00:00

Add display unavailable surface cb22373549

hongming added the tier:medium label 2026-05-23 05:42:47 +00:00

hongming requested review from core-qa 2026-05-23 05:42:49 +00:00

hongming requested review from core-security 2026-05-23 05:42:50 +00:00

hongming referenced this pull request 2026-05-23 05:42:50 +00:00

RFC: Per-workspace EC2 configurability — instance type, volume size, OS, GPU #1686

hongming commented 2026-05-23 05:51:08 +00:00

Author

Owner

Copy Link

Copy Source

PR is ready for team review. Verification: local Go handlers/router tests passed, workspace-server go test ./... passed, targeted Canvas vitest passed, canvas npm run build passed. Current Gitea DB status for head cb223735: implementation/SOP/checklist jobs are green; qa-review and security-review are still red because no qualifying APPROVE has been submitted yet.

PR is ready for team review. Verification: local Go handlers/router tests passed, workspace-server go test ./... passed, targeted Canvas vitest passed, canvas npm run build passed. Current Gitea DB status for head cb223735: implementation/SOP/checklist jobs are green; qa-review and security-review are still red because no qualifying APPROVE has been submitted yet.

app-fe added 1 commit 2026-05-23 05:59:59 +00:00

Add display route auth regression test ee2d62f679

hongming commented 2026-05-23 06:00:05 +00:00

Author

Owner

Copy Link

Copy Source

Subagent review follow-up: QA/product and security reviews found no blocking issues. Both recommended a route-level auth regression test for the new display endpoint; added in ee2d62f6 (TestWorkspaceDisplayRoute_RequiresAdminAuth). Verification after patch: targeted router/handler tests passed and workspace-server: go test ./... passed.

Subagent review follow-up: QA/product and security reviews found no blocking issues. Both recommended a route-level auth regression test for the new display endpoint; added in ee2d62f6 (`TestWorkspaceDisplayRoute_RequiresAdminAuth`). Verification after patch: targeted router/handler tests passed and `workspace-server: go test ./...` passed.

core-qa approved these changes 2026-05-23 06:12:18 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

QA approval based on independent subagent QA/product review. No blocking QA issues found. The review-requested route-level auth regression test was added in ee2d62f679 and local backend verification passed.

QA approval based on independent subagent QA/product review. No blocking QA issues found. The review-requested route-level auth regression test was added in ee2d62f6795ba70ae77413ab9990be183b2c72fc and local backend verification passed.

core-qa approved these changes 2026-05-23 06:12:58 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

QA approval based on independent subagent QA/product review. No blocking QA issues found. The review-requested route-level auth regression test was added in ee2d62f679 and local backend verification passed.

QA approval based on independent subagent QA/product review. No blocking QA issues found. The review-requested route-level auth regression test was added in ee2d62f6795ba70ae77413ab9990be183b2c72fc and local backend verification passed.

core-security approved these changes 2026-05-23 06:13:26 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Security approval based on independent subagent security review. No blocking security issues found. The recommended display-route auth regression test was added in ee2d62f679. No browser-control/session access or secrets are exposed in this PR.

Security approval based on independent subagent security review. No blocking security issues found. The recommended display-route auth regression test was added in ee2d62f6795ba70ae77413ab9990be183b2c72fc. No browser-control/session access or secrets are exposed in this PR.

hongming commented 2026-05-23 06:13:53 +00:00

Author

Owner

Copy Link

Copy Source

/qa-recheck

/qa-recheck

hongming commented 2026-05-23 06:13:53 +00:00

Author

Owner

Copy Link

Copy Source

/security-recheck

/security-recheck

hongming merged commit a44f98e177 into main 2026-05-23 06:15:52 +00:00

hongming referenced this issue from a commit 2026-05-23 06:15:53 +00:00

Merge pull request 'feat: #1686 add Display tab unavailable state' (#1701) from feat/1686-display-unavailable into main

hongming deleted branch feat/1686-display-unavailable 2026-05-23 06:15:54 +00:00

hongming referenced this pull request 2026-05-23 06:16:11 +00:00

RFC: Per-workspace EC2 configurability — instance type, volume size, OS, GPU #1686

hongming referenced this pull request 2026-05-23 06:33:12 +00:00

feat: #1686 add Container Config tab skeleton #1705

hongming referenced this pull request 2026-05-23 06:50:28 +00:00

RFC: Per-workspace EC2 configurability — instance type, volume size, OS, GPU #1686

Sign in to join this conversation.

Reviewers

No Reviewers

core-qa

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label tier:medium

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1701