{"id":45921553,"url":"https://github.com/cli-server/cli-server","last_synced_at":"2026-03-04T12:00:49.122Z","repository":{"id":340814390,"uuid":"1167662303","full_name":"cli-server/cli-server","owner":"cli-server","description":"Run Claude Code in the browser. Self-hosted, multi-user, Helm-deployable.","archived":false,"fork":false,"pushed_at":"2026-02-28T12:05:40.000Z","size":324,"stargazers_count":1,"open_issues_count":5,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-28T12:43:07.584Z","etag":null,"topics":["ai","claude","claude-code","code-server","docker","helm","kubernetes","oidc","self-hosted","terminal"],"latest_commit_sha":null,"homepage":"https://github.com/cli-server/cli-server","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cli-server.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-26T14:45:27.000Z","updated_at":"2026-02-28T12:05:43.000Z","dependencies_parsed_at":"2026-02-28T09:07:04.736Z","dependency_job_id":null,"html_url":"https://github.com/cli-server/cli-server","commit_stats":null,"previous_names":["cli-server/cli-server"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/cli-server/cli-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cli-server%2Fcli-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cli-server%2Fcli-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cli-server%2Fcli-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cli-server%2Fcli-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cli-server","download_url":"https://codeload.github.com/cli-server/cli-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cli-server%2Fcli-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29965419,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T06:55:38.174Z","status":"ssl_error","status_checked_at":"2026-03-01T06:53:04.810Z","response_time":124,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","claude","claude-code","code-server","docker","helm","kubernetes","oidc","self-hosted","terminal"],"created_at":"2026-02-28T08:50:47.325Z","updated_at":"2026-03-01T09:00:44.239Z","avatar_url":"https://github.com/cli-server.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003ecli-server\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eRun your \u003ca href=\"https://github.com/opencode-ai/opencode\"\u003ecoding agent\u003c/a\u003e on any machine anywhere and access it in the browser.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/cli-server/cli-server/actions\"\u003e\u003cimg src=\"https://github.com/cli-server/cli-server/actions/workflows/build.yml/badge.svg\" alt=\"Build\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cli-server/cli-server/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/github/license/cli-server/cli-server\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cli-server/cli-server/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/cli-server/cli-server\" alt=\"Release\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/screenshot.png\" alt=\"cli-server Web UI\" width=\"800\"\u003e\n\u003c/p\u003e\n\ncli-server is to [opencode](https://github.com/opencode-ai/opencode) what [code-server](https://github.com/coder/code-server) is to VS Code — a self-hosted web interface that lets your team use a coding agent from a browser, no local installation required.\n\n## Highlights\n\n- **Browser-based coding agent** — Each sandbox runs [opencode](https://github.com/opencode-ai/opencode) serve, accessible via a per-sandbox subdomain\n- **Local agent tunneling** — Connect a locally-running opencode instance to cli-server via a WebSocket reverse tunnel, no public IP needed\n- **Workspaces \u0026 multi-tenancy** — Organize work into workspaces with role-based membership (owner / maintainer / developer / guest); each workspace has a shared persistent disk\n- **Sandboxes** — Create multiple sandboxes per workspace; pause, resume, and auto-pause on idle\n- **Two backends** — Run sandbox containers via Docker (single node) or Kubernetes with [Agent Sandbox](https://github.com/kubernetes-sigs/agent-sandbox) + gVisor isolation\n- **SSO / OIDC** — Built-in GitHub OAuth and generic OIDC support; accounts are linked by email\n- **Anthropic API proxy** — Sandboxes never see the real API key; cli-server injects it server-side via a per-sandbox proxy token\n- **Rich dev environment** — Sandbox image ships with Go, Rust, C/C++, Node.js, Python 3, and common tools out of the box\n- **Cross-platform binary** — Pre-built binaries for Linux, macOS, and Windows (amd64 / arm64)\n- **Helm one-liner** — Deploy to any Kubernetes cluster in minutes\n\n## Architecture\n\n```\nBrowser ──▶ cli-server (Go) ──▶ sandbox pod / container\n               │                   └─ opencode serve (:4096)\n               │\n               ├─ PostgreSQL (users, workspaces, sandboxes)\n               ├─ Anthropic API proxy (injects real API key)\n               │\n               │               WebSocket tunnel\nLocal machine ─┼──▶ cli-server agent connect ──────────▶ cli-server\n               └─ opencode serve (:4096)                    │\n                                                    Browser access via\n                                                    subdomain proxy\n```\n\n| Component | Description |\n|-----------|-------------|\n| **cli-server** | Go HTTP server — auth, workspace \u0026 sandbox management, opencode subdomain proxy, WebSocket tunnel, Anthropic API proxy, static frontend |\n| **sandbox** | Container running opencode serve — one per sandbox, isolated via Docker or K8s Agent Sandbox |\n| **local agent** | `cli-server agent connect` — connects a local opencode instance to the server via a WebSocket reverse tunnel |\n\n## Quick Start\n\n### Prerequisites\n\n- Kubernetes cluster (or Docker for local dev)\n- PostgreSQL database\n- An [Anthropic API key](https://console.anthropic.com/)\n\n### Helm Install\n\n```bash\nhelm install cli-server oci://ghcr.io/cli-server/charts/cli-server \\\n  --namespace cli-server --create-namespace \\\n  --set database.url=\"postgres://user:pass@postgres:5432/cliserver?sslmode=disable\" \\\n  --set anthropicApiKey=\"sk-ant-...\" \\\n  --set ingress.enabled=true \\\n  --set ingress.host=\"cli.example.com\" \\\n  --set baseDomain=\"cli.example.com\"\n```\n\nOpen `https://cli.example.com`, register an account, create a workspace, and launch a sandbox.\n\n### Docker Compose (Local Development)\n\n```bash\ngit clone https://github.com/cli-server/cli-server.git\ncd cli-server\n\n# Build the opencode agent image\ndocker build -f Dockerfile.opencode -t cli-server-agent:latest .\n\n# Set your API key\nexport ANTHROPIC_API_KEY=\"sk-ant-...\"\n\n# Start everything\ndocker compose up -d\n```\n\nOpen `http://localhost:8080` in your browser.\n\n## Local Agent Tunneling\n\nYou can connect a locally-running opencode instance to cli-server without a public IP or any third-party tunnel tool. The server manages it like any other sandbox — accessible via subdomain proxy in the Web UI.\n\n### How it works\n\n1. In the Web UI, click the laptop icon next to \"Sandboxes\" to generate a one-time registration code\n2. On your local machine, download `cli-server` from the [latest release](https://github.com/cli-server/cli-server/releases) and run:\n\n```bash\n# First time: register with the code\ncli-server agent connect \\\n  --server https://cli.example.com \\\n  --code \u003cregistration-code\u003e \\\n  --name \"My MacBook\" \\\n  --opencode-url http://localhost:4096\n\n# Subsequent runs: auto-reconnects using saved credentials (~/.cli-server/agent.json)\ncli-server agent connect --opencode-url http://localhost:4096\n```\n\n3. A new sandbox labeled **local** appears in the Web UI. Click \"Open\" to access your local opencode through the browser.\n\n### Features\n\n- **Zero configuration networking** — WebSocket tunnel punches through NATs and firewalls\n- **Auto-reconnect** — Exponential backoff reconnection on disconnect (1s → 2s → 4s → ... → 60s)\n- **Binary protocol** — Raw binary WebSocket frames with chunked streaming, no base64 overhead\n- **SSE streaming** — Agent execution updates stream in real-time through the tunnel\n- **Offline detection** — Web UI shows `offline` status when the agent disconnects; automatically recovers to `running` on reconnect\n\n### Tunnel protocol\n\nThe tunnel uses a binary WebSocket protocol. Each message is a binary frame:\n\n```\n[4 bytes: JSON header length] [JSON header] [raw binary payload]\n```\n\n- **Server → Agent**: request header (method, path, HTTP headers) + request body\n- **Agent → Server**: stream header (status, HTTP headers, done flag) + response body chunk (16KB max)\n\nAll responses are chunked, keeping each WebSocket message well under the default 32KB limit.\n\n## Concepts\n\n### Workspaces\n\nA workspace is a collaborative unit. It has members with roles and owns a shared persistent disk (PVC in K8s, named volume in Docker). All sandboxes in a workspace share this disk at `/data/disk0`.\n\n| Role | Permissions |\n|------|-------------|\n| **owner** | Full control — manage members, delete workspace, create/manage sandboxes |\n| **maintainer** | Add members, create/manage sandboxes |\n| **developer** | Create and manage sandboxes |\n| **guest** | View sandboxes (read-only access) |\n\n### Sandboxes\n\nA sandbox is an isolated container running opencode serve, or a local agent connected via WebSocket tunnel. Each sandbox:\n\n- Has its own opencode instance accessible via `oc-{sandboxID}.{baseDomain}`\n- Cloud sandboxes can be paused (scales to 0 replicas / stops container) and resumed\n- Cloud sandboxes are automatically paused after a configurable idle timeout\n- Local sandboxes show `offline` when the agent disconnects and recover on reconnect\n- Gets a unique proxy token for Anthropic API access\n\n### Sandbox statuses\n\n| Status | Description |\n|--------|-------------|\n| `creating` | Container is being provisioned |\n| `running` | Sandbox is active and accessible |\n| `pausing` | Container is being paused |\n| `paused` | Container is stopped, can be resumed |\n| `resuming` | Container is being restarted |\n| `offline` | Local agent disconnected (will recover on reconnect) |\n\n## Configuration\n\n### Helm Values\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `image.repository` | Server image | `ghcr.io/cli-server/cli-server` |\n| `image.tag` | Server image tag | `latest` |\n| `opencode.image` | Opencode agent image for sandbox pods | `ghcr.io/cli-server/opencode-agent:latest` |\n| `opencode.runtimeClassName` | RuntimeClass for sandbox pods (e.g. `gvisor`) | `\"\"` |\n| `database.url` | PostgreSQL connection string | (required) |\n| `anthropicApiKey` | Anthropic API key | (required) |\n| `anthropicBaseUrl` | Custom Anthropic API base URL | `\"\"` |\n| `anthropicAuthToken` | Anthropic auth token (alternative to API key) | `\"\"` |\n| `backend` | Sandbox backend: `docker` or `k8s` | `docker` |\n| `baseDomain` | Base domain for subdomain routing (e.g. `cli.example.com`) | `\"\"` |\n| `baseScheme` | URL scheme for generated URLs | `https` |\n| `idleTimeout` | Auto-pause idle sandboxes after | `30m` |\n| `persistence.sessionStorageSize` | Per-sandbox ephemeral storage | `5Gi` |\n| `persistence.userDriveSize` | Per-workspace shared disk size | `10Gi` |\n| `persistence.storageClassName` | Storage class for PVCs | `\"\"` (cluster default) |\n| `workspace.resources` | Resource limits/requests for sandbox pods | `1Gi/1cpu` limits |\n| `agentSandbox.install` | Install Agent Sandbox controller | `true` |\n| `ingress.enabled` | Enable Nginx Ingress | `false` |\n| `ingress.host` | Ingress hostname | `cli-server.example.com` |\n| `ingress.tls` | Enable TLS (cert-manager) | `false` |\n| `gateway.enabled` | Enable Gateway API HTTPRoute | `false` |\n\n### OIDC Authentication\n\ncli-server supports GitHub OAuth and generic OIDC providers alongside username/password auth. Accounts with the same email are automatically linked.\n\n**GitHub OAuth:**\n\n```bash\nhelm upgrade cli-server oci://ghcr.io/cli-server/charts/cli-server \\\n  --reuse-values \\\n  --set oidc.redirectBaseUrl=\"https://cli.example.com\" \\\n  --set oidc.github.enabled=true \\\n  --set oidc.github.clientId=\"your-client-id\" \\\n  --set oidc.github.clientSecret=\"your-client-secret\"\n```\n\nSet the callback URL in your GitHub OAuth App to: `https://cli.example.com/api/auth/oidc/github/callback`\n\n**Generic OIDC (Keycloak, Authentik, etc.):**\n\n```bash\nhelm upgrade cli-server oci://ghcr.io/cli-server/charts/cli-server \\\n  --reuse-values \\\n  --set oidc.redirectBaseUrl=\"https://cli.example.com\" \\\n  --set oidc.generic.enabled=true \\\n  --set oidc.generic.issuerUrl=\"https://idp.example.com/realms/main\" \\\n  --set oidc.generic.clientId=\"cli-server\" \\\n  --set oidc.generic.clientSecret=\"your-secret\"\n```\n\n### Kubernetes Backend\n\nFor production multi-tenant deployments, use the Kubernetes backend with gVisor sandbox isolation:\n\n```bash\nhelm upgrade cli-server oci://ghcr.io/cli-server/charts/cli-server \\\n  --reuse-values \\\n  --set backend=k8s \\\n  --set opencode.runtimeClassName=gvisor \\\n  --set sandbox.namespace=cli-server\n```\n\nThis uses the [Kubernetes Agent Sandbox](https://github.com/kubernetes-sigs/agent-sandbox) controller to manage isolated pods per sandbox.\n\n### Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `DATABASE_URL` | PostgreSQL connection string |\n| `ANTHROPIC_API_KEY` | Anthropic API key |\n| `ANTHROPIC_BASE_URL` | Custom API base URL |\n| `ANTHROPIC_AUTH_TOKEN` | Anthropic auth token (alternative to API key) |\n| `ANTHROPIC_PROXY_URL` | URL sandbox pods use to reach the Anthropic proxy |\n| `BASE_DOMAIN` | Base domain for subdomain routing |\n| `BASE_SCHEME` | URL scheme (`http` or `https`) |\n| `IDLE_TIMEOUT` | Auto-pause timeout (e.g. `30m`) |\n| `AGENT_IMAGE` | Container image for sandbox agents |\n| `OIDC_REDIRECT_BASE_URL` | External URL for OIDC callbacks |\n| `GITHUB_CLIENT_ID` | GitHub OAuth client ID |\n| `GITHUB_CLIENT_SECRET` | GitHub OAuth client secret |\n| `OIDC_ISSUER_URL` | Generic OIDC issuer URL |\n| `OIDC_CLIENT_ID` | Generic OIDC client ID |\n| `OIDC_CLIENT_SECRET` | Generic OIDC client secret |\n\n## API\n\nAll endpoints under `/api/` require authentication via cookie unless noted otherwise.\n\n### Workspaces\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/workspaces` | List workspaces for current user |\n| `POST` | `/api/workspaces` | Create workspace (caller becomes owner) |\n| `GET` | `/api/workspaces/{id}` | Get workspace details |\n| `DELETE` | `/api/workspaces/{id}` | Delete workspace (owner only) |\n\n### Members\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/workspaces/{id}/members` | List members |\n| `POST` | `/api/workspaces/{id}/members` | Add member (owner/maintainer) |\n| `PUT` | `/api/workspaces/{id}/members/{userId}` | Update member role (owner) |\n| `DELETE` | `/api/workspaces/{id}/members/{userId}` | Remove member (owner) |\n\n### Sandboxes\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `GET` | `/api/workspaces/{wid}/sandboxes` | List sandboxes in workspace |\n| `POST` | `/api/workspaces/{wid}/sandboxes` | Create sandbox (developer+) |\n| `GET` | `/api/sandboxes/{id}` | Get sandbox details |\n| `DELETE` | `/api/sandboxes/{id}` | Delete sandbox |\n| `POST` | `/api/sandboxes/{id}/pause` | Pause sandbox (cloud only) |\n| `POST` | `/api/sandboxes/{id}/resume` | Resume sandbox (cloud only) |\n\n### Local Agent\n\n| Method | Endpoint | Auth | Description |\n|--------|----------|------|-------------|\n| `POST` | `/api/workspaces/{wid}/agent-code` | Cookie | Generate one-time registration code (developer+) |\n| `POST` | `/api/agent/register` | Registration code | Register local agent, returns sandbox ID and tunnel token |\n| `GET` | `/api/tunnel/{sandboxId}?token={tunnelToken}` | Tunnel token | WebSocket tunnel endpoint |\n\n## Contributing\n\n```bash\n# Backend\ngo run . serve --db-url \"postgres://...\" --backend docker\n\n# Frontend (separate terminal)\ncd web \u0026\u0026 pnpm install \u0026\u0026 pnpm dev\n```\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcli-server%2Fcli-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcli-server%2Fcli-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcli-server%2Fcli-server/lists"}