Skip to content

fix(#546): render the HTTPS onion vhost on the run that captures the address#573

Merged
VijitSingh97 merged 1 commit into
developfrom
claude/fix-546-onion-vhost
Jul 17, 2026
Merged

fix(#546): render the HTTPS onion vhost on the run that captures the address#573
VijitSingh97 merged 1 commit into
developfrom
claude/fix-546-onion-vhost

Conversation

@VijitSingh97

Copy link
Copy Markdown
Collaborator

Closes #546

The https://<onion> SNI vhost (#360) is only emitted by generate_caddyfile once the dashboard onion address is captured — but every capture leg ran after the Caddyfile had been rendered with the placeholder, and none re-rendered it:

  • apply: the post-up capture refreshed .env only; the next apply hit the "No configuration changes detected" early return before ever reaching generate_caddyfile, so the vhost never appeared (stock Tor Browser's HTTPS-First upgrade then fails the TLS handshake — dashboard unreachable over the onion).
  • upgrade: the rotate-dashboard-onion crashes with HOST_IP: unbound variable; onion address not captured when enabled via upgrade #356 capture leg had the identical hole (found during review; the delegated agent's fix covered apply+rotate, the session lead added the upgrade leg).
  • rotate-dashboard-onion: restarted Caddy without regenerating at all — kept serving the retired onion's vhost with none for the new address.

All three legs now run generate_caddyfile + docker compose restart caddy the moment the address lands. Setup is unaffected (provision_tor captures before setup's render). The lying comment ("adds HTTPS on the next apply") is fixed.

Tests (tier 1): black-box apply and rotate_dashboard_onion drives with generate_caddyfile left REAL, asserting on the actual Caddyfile (vhost appears in the same apply run; rotate drops the old vhost and adds the new); shadow-driven stack_upgrade counting generate_caddyfile calls (2 with capture, 1 without).

Revert-proof (pithead fix dropped, tests kept): ✗ upgrade capture regenerates the Caddyfile, ✗ apply: HTTPS onion vhost appears in the SAME apply run, ✗ rotate drops the retired onion's HTTPS vhost, ✗ rotate adds the new onion's HTTPS vhost in the same run — all pass with the fix restored.

Ponytail review: one finding (duplicated shadow helper) — folded into the existing upg_capture helper, −20 lines.

CHANGELOG: Unreleased entry included.

🤖 Generated with Claude Code

…address

generate_caddyfile only emits the https://<onion> SNI vhost (#360) once
the address is captured, but every capture leg ran AFTER the Caddyfile
was rendered with the placeholder and never re-rendered: apply's
post-up capture only refreshed .env (and the next apply no-ops on an
unchanged config), upgrade's capture leg (#356) had the same hole, and
rotate-dashboard-onion restarted caddy without regenerating at all —
serving the retired onion's vhost with none for the new address. All
three legs now regenerate the Caddyfile and restart caddy the moment
the address lands. Setup is unaffected: provision_tor captures before
setup renders.

Closes #546

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@VijitSingh97
VijitSingh97 merged commit f8df10b into develop Jul 17, 2026
15 checks passed
@VijitSingh97
VijitSingh97 deleted the claude/fix-546-onion-vhost branch July 17, 2026 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

apply/rotate never render the HTTPS onion vhost after the address is captured — onion dashboard unreachable in Tor Browser

1 participant