feat(xworkmate_bridge): add Windows Scheduled Task deployment and skip Caddy on Windows

group_vars/all.yml

@@ -7,11 +7,11 @@ ansible_host_key_checking: False
 # Set to 'strict' to disable public Caddy/Ingress access for all roles.
 ai_workspace_security_level: standard
 
-# Whether to install/configure the Caddy reverse proxy (public HTTP/TLS ingress).
+# Caddy ingress is enabled by default on Linux where we expect a dedicated box.
-# Default: enabled on Linux, disabled on macOS single-host deploys (no system
+# It is disabled on macOS (developer workstation with port conflicts) and Windows
-# Caddy, /etc/caddy not writable). Override anytime with -e caddy_enabled=true
+# (Caddy not natively supported in our Windows pipeline).
-# (force on) or -e caddy_enabled=false (force off) — extra-vars win.
+# Override anytime with -e caddy_enabled=true or -e caddy_enabled=false.
-caddy_enabled: "{{ ansible_os_family != 'Darwin' }}"
+caddy_enabled: "{{ ansible_os_family != 'Darwin' and ansible_os_family != 'Windows' }}"
 
 # Caddy config root. Linux uses the system path /etc/caddy; macOS (Homebrew)
 # uses /opt/homebrew/etc/caddy. Roles derive their Caddyfile / conf.d / fragment

roles/vhosts/xworkmate_bridge/handlers/main.yml

@@ -22,6 +22,20 @@
   when: ansible_system == 'Darwin'
   listen: Restart bridge
 
+- name: Stop bridge on Windows
+  community.windows.win_command:
+    cmd: schtasks /End /TN "xworkmate-bridge"
+  failed_when: false
+  changed_when: false
+  when: ansible_os_family == 'Windows'
+  listen: Restart bridge
+
+- name: Start bridge on Windows
+  community.windows.win_command:
+    cmd: schtasks /Run /TN "xworkmate-bridge"
+  when: ansible_os_family == 'Windows'
+  listen: Restart bridge
+
 - name: Reload caddy
   ansible.builtin.systemd:
     name: caddy

roles/vhosts/xworkmate_bridge/tasks/main.yml

@@ -23,9 +23,9 @@
   ansible.builtin.file:
     path: "{{ xworkmate_bridge_base_dir }}"
     state: directory
-    owner: "{{ xworkmate_bridge_service_user }}"
+    owner: "{{ xworkmate_bridge_service_user if ansible_os_family != 'Windows' else omit }}"
-    group: "{{ xworkmate_bridge_service_group }}"
+    group: "{{ xworkmate_bridge_service_group if ansible_os_family != 'Windows' else omit }}"
-    mode: "0755"
+    mode: "{{ '0755' if ansible_os_family != 'Windows' else omit }}"
 
 - name: Read existing xworkmate-bridge auth token from systemd units
   ansible.builtin.shell: |
@@ -166,9 +166,9 @@
   ansible.builtin.template:
     src: config.yaml.j2
     dest: "{{ xworkmate_bridge_config_file }}"
-    owner: "{{ xworkmate_bridge_service_user }}"
+    owner: "{{ xworkmate_bridge_service_user if ansible_os_family != 'Windows' else omit }}"
-    group: "{{ xworkmate_bridge_service_group }}"
+    group: "{{ xworkmate_bridge_service_group if ansible_os_family != 'Windows' else omit }}"
-    mode: "0644"
+    mode: "{{ '0644' if ansible_os_family != 'Windows' else omit }}"
   notify: Restart bridge
 
 - name: Restore immutable flag on xworkmate-bridge config file
@@ -363,6 +363,7 @@
   when:
     - not ansible_check_mode
     - ansible_os_family != 'Darwin'
+    - ansible_os_family != 'Windows'
 
 - name: Ensure Caddy is enabled and running
   ansible.builtin.systemd:
@@ -372,12 +373,17 @@
   when:
     - not ansible_check_mode
     - ansible_os_family != 'Darwin'
+    - ansible_os_family != 'Windows'
   become: true
 
 - name: Import macOS specific xworkmate-bridge tasks
   ansible.builtin.import_tasks: macos.yml
   when: ansible_os_family == 'Darwin'
 
+- name: Include Windows specific xworkmate-bridge tasks
+  ansible.builtin.include_tasks: windows.yml
+  when: ansible_os_family == 'Windows'
+
 - name: Apply xworkmate-bridge service and Caddy changes before validation
   ansible.builtin.meta: flush_handlers
   become: true

roles/vhosts/xworkmate_bridge/tasks/windows.yml

@@ -0,0 +1,26 @@
+---
+- name: Deploy xworkmate-bridge Windows startup script
+  ansible.windows.win_template:
+    src: start.ps1.j2
+    dest: "{{ xworkmate_bridge_base_dir }}\\start.ps1"
+  notify: Restart bridge
+
+- name: Create xworkmate-bridge Scheduled Task on Windows
+  community.windows.win_scheduled_task:
+    name: xworkmate-bridge
+    description: "XWorkmate Bridge Service"
+    executable: powershell.exe
+    arguments: "-ExecutionPolicy Bypass -WindowStyle Hidden -File {{ xworkmate_bridge_base_dir }}\\start.ps1"
+    time: startup
+    state: present
+    enabled: true
+    run_level: highest
+    logon_type: service_account
+    user: SYSTEM
+
+- name: Ensure xworkmate-bridge Scheduled Task is running
+  community.windows.win_command:
+    cmd: schtasks /Run /TN "xworkmate-bridge"
+  failed_when: false
+  changed_when: false
+  when: not ansible_check_mode

roles/vhosts/xworkmate_bridge/templates/start.ps1.j2

@@ -0,0 +1,6 @@
+$env:AI_WORKSPACE_AUTH_TOKEN = "{{ ai_workspace_auth_token }}"
+$env:BRIDGE_AUTH_TOKEN = "{{ xworkmate_bridge_effective_auth_token | default(xworkmate_bridge_auth_token) }}"
+$env:BRIDGE_REVIEW_AUTH_TOKEN = "{{ xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token) }}"
+$env:BRIDGE_CONFIG_PATH = "{{ xworkmate_bridge_config_file }}"
+
+Start-Process -NoNewWindow -Wait -FilePath "{{ xworkmate_bridge_binary_path }}"