🚧 DO NOT MERGE: HTTPS/HTTP2 on watchdog to eliminate connection pool exhaustion

[clubanderson]

Summary

• HTTP/2 multiplexing: The watchdog reverse proxy now serves HTTPS with HTTP/2. All 17+ SSE streams multiplex over a single TCP connection, eliminating the browser's 6-connection HTTP/1.1 limit that caused "Connection lost" and slow dashboard loading.
• Self-signed TLS cert: Auto-generates an ECDSA P-256 cert for localhost/127.0.0.1/::1, stored in ./data/tls/, valid 1 year, reused if not expired.
• SSE flush fix: Sets proxy.FlushInterval = -1 on the reverse proxy so SSE events are forwarded immediately (not buffered).
• OAuth scheme-aware: backendURL() and startup script updated to use https:// when TLS is active.

Architecture

Browser (HTTPS/H2) --TLS--> Watchdog :8080 --HTTP/1.1--> Backend :8081
                                                          (Fiber/fasthttp)

Changes

File	Change
cmd/console/watchdog.go	TLS cert generation, ListenAndServeTLS, FlushInterval = -1
cmd/console/main.go	--tls flag
startup-oauth.sh	Pass --tls, TLS_ENABLED=true, https:// URLs
pkg/api/server.go	TLSEnabled config, scheme-aware backendURL()
pkg/api/handlers/auth.go	Comment clarifying OAuth callback scheme
web/vite.config.ts	Dev proxy targets → https://localhost:8080 with secure: false

Test plan

• startup-oauth.sh starts watchdog with HTTPS
• Browser shows h2 protocol in DevTools Network tab
• All SSE streams load concurrently without blocking
• No more "Connection lost" snackbar from connection pool exhaustion
• OAuth login flow works with https:// callback
• start-dev.sh still works (no TLS, HTTP/1.1)
• npm run build && npm run lint passes

🤖 Generated with Claude Code

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

❌ Deploy Preview for kubestellarconsole failed. Why did it fail? →

Name	Link
🔨 Latest commit	22025fc
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/69c2ca2ec48091000864fd55

[github-actions]

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

• Claude Code (Opus 4.5 / 4.6) — recommended
• GitHub Copilot
• Cursor
• Other AI coding assistants

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

---

This is an automated message.

[Copilot]

Pull request overview

Adds optional TLS (HTTPS + HTTP/2) support to the watchdog reverse proxy to multiplex many SSE streams over a single connection, reducing browser connection pool contention and improving dashboard load reliability.

Changes:

• Watchdog can now serve HTTPS/HTTP2 with auto-generated self-signed localhost certs and immediate SSE flushing.
• Backend config gains TLS awareness for scheme-correct OAuth callback URL generation.
• Dev tooling/scripts updated to route through the TLS-enabled watchdog (including Vite dev proxy and OAuth startup script).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cmd/console/watchdog.go	Adds TLS cert generation/reuse, ListenAndServeTLS, and ReverseProxy.FlushInterval = -1 for SSE.
cmd/console/main.go	Adds --tls flag to enable watchdog TLS mode.
pkg/api/server.go	Adds TLSEnabled config and scheme-aware backendURL() used for OAuth redirect URL construction.
pkg/api/handlers/auth.go	Clarifies comment about callback scheme when watchdog TLS is enabled.
startup-oauth.sh	Starts watchdog with --tls, exports TLS_ENABLED=true, and updates printed/setup URLs to https://.
web/vite.config.ts	Switches dev proxy targets to https://localhost:8080 / wss://localhost:8080 and disables cert verification (secure:false).

[Copilot]

Vite dev-server proxy is now hard-coded to https://localhost:8080 (and wss:// for /ws). This will break the existing start-dev.sh flow where the backend listens on plain HTTP :8080 (no watchdog/TLS), because the dev server will attempt a TLS handshake to an HTTP server. Make the proxy scheme conditional (e.g., based on process.env.TLS_ENABLED or a dedicated VITE_* env var) so HTTP is used by default and HTTPS is only used when the watchdog is started with --tls (and only set secure:false in that case).

[Copilot]

ensureSelfSignedCert() treats an existing cert as usable based solely on certValid(certFile), but it never checks that the corresponding key file exists and matches the cert. If localhost.key is missing/corrupted (or doesn't match the cert), ListenAndServeTLS will fail at runtime. Consider validating the key pair (e.g., tls.LoadX509KeyPair) and regenerating if either file is missing/invalid/mismatched, rather than checking only the cert expiration.

[clubanderson]

🔄 Auto-Applying Copilot Code Review

Copilot code review found 0 code suggestion(s) and 2 general comment(s).

Also address these general comments:

• web/vite.config.ts (line 209): Vite dev-server proxy is now hard-coded to https://localhost:8080 (and wss:// for /ws). This will break the existing
• cmd/console/watchdog.go (line 298): ensureSelfSignedCert() treats an existing cert as usable based solely on certValid(certFile), but it never checks th

Push all fixes in a single commit. Run cd web && npm run build && npm run lint before committing.

---

Auto-generated by copilot-review-apply workflow.

[github-actions]

❌ PR Title Verification Failed

Your PR title does not follow the required format.

Current title: 🚧 DO NOT MERGE: HTTPS/HTTP2 on watchdog to eliminate connection pool exhaustion

Required Format

PR titles must start with one of these emoji prefixes:

Emoji	Meaning
⚠️	Breaking change
✨	Non-breaking feature
🐛	Patch fix / Bug fix
📖	Documentation
🚀	Release
🌱	Infra/Tests/Other

How to Fix

Edit your PR title to start with the appropriate emoji. For example:

• ✨ Add new feature for user authentication
• 🐛 Fix crash when loading empty config
• 📖 Update installation guide

You can edit the title by clicking the Edit button next to your PR title.

---

This comment was automatically posted by the PR Title Verifier workflow.

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 047dc3b feat: add HTTPS/HTTP2 support to watchdog reverse proxy
• 53a6c8d fix: update smoke test for HTTPS watchdog
• eae24f5 fix: make Vite proxy TLS-conditional and validate cert+key pair
• 88a7222 fix: warn developers to update OAuth callback URL when TLS is enabled
• e589d6e merge: resolve conflicts with main (watchdog stage file + version flag)
• 504a499 fix: improve card loading UX — prefetch chunks, fix device tracker timeout, wire isRefreshing
• e952b66 fix: skeleton on refresh with empty cache + proxy Vite to backend port 8081
• 2c96db4 fix: treat empty cached data as no cache — show skeleton not empty state
• 22025fc fix: remove duplicate constant and fix TS errors after rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kubestellar-prow]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.