Align xworkmate bridge playbooks with live services

2026-04-20 17:20:03 +08:00 · 2026-04-20 17:20:03 +08:00 · ae5f7c5b4e
commit ae5f7c5b4e
parent acfe7f564d
31 changed files with 325 additions and 181 deletions
--- a/deploy_acp_codex_vhosts.yml
+++ b/deploy_acp_codex_vhosts.yml
@ -4,6 +4,8 @@
  become: true
  gather_facts: true
  roles:
    - role: roles/vhosts/acp_server_codex/
      tags: [acp_codex]
    - role: roles/vhosts/xworkmate_bridge/
      vars:
        deploy_acp_codex: true
--- a/deploy_acp_gemini_vhosts.yml
+++ b/deploy_acp_gemini_vhosts.yml
@ -4,6 +4,8 @@
  become: true
  gather_facts: true
  roles:
    - role: roles/vhosts/acp_server_gemini/
      tags: [acp_gemini]
    - role: roles/vhosts/xworkmate_bridge/
      vars:
        deploy_acp_codex: false
--- a/deploy_acp_opencode_vhosts.yml
+++ b/deploy_acp_opencode_vhosts.yml
@ -4,6 +4,8 @@
  become: true
  gather_facts: true
  roles:
    - role: roles/vhosts/acp_server_opencode/
      tags: [acp_opencode]
    - role: roles/vhosts/xworkmate_bridge/
      vars:
        deploy_acp_codex: false
--- a/deploy_xworkmate_bridge_vhosts.yml
+++ b/deploy_xworkmate_bridge_vhosts.yml
@ -4,5 +4,13 @@
  become: true
  gather_facts: true
  roles:
    - role: roles/vhosts/acp_server_codex/
      tags: [acp_codex]
    - role: roles/vhosts/acp_server_opencode/
      tags: [acp_opencode]
    - role: roles/vhosts/acp_server_gemini/
      tags: [acp_gemini]
    - role: roles/vhosts/acp_server_hermes/
      tags: [acp_hermes]
    - role: roles/vhosts/xworkmate_bridge/
      tags: [xworkmate_bridge]
--- a/roles/vhosts/acp_server_codex/README.md
+++ b/roles/vhosts/acp_server_codex/README.md
@ -10,7 +10,7 @@ Installs:
 Exposes:
 - raw Codex upstream: `codex app-server --listen ws://127.0.0.1:9001`
- public ACP bridge: `127.0.0.1:9010` via `acp-bridge-codex`
+- public ACP bridge: `127.0.0.1:9001` via `acp-bridge-codex`
 - public base URL: `https://xworkmate-bridge.svc.plus/codex`
 Notes:
--- a/roles/vhosts/acp_server_codex/defaults/main.yml
+++ b/roles/vhosts/acp_server_codex/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-acp_codex_service_name: codex-app-server
+acp_codex_service_name: acp-codex
 acp_codex_runtime_user: ubuntu
 acp_codex_runtime_group: "{{ acp_codex_runtime_user }}"
 acp_codex_runtime_home: "/home/{{ acp_codex_runtime_user }}"
@ -8,35 +8,27 @@ acp_codex_service_group: "{{ acp_codex_runtime_group }}"
 acp_codex_workdir: "{{ acp_codex_runtime_home }}"
 acp_codex_listen_host: 127.0.0.1
 acp_codex_listen_port: 9001
-acp_codex_bridge_service_name: acp-bridge-codex
+acp_codex_packages: []
-acp_codex_bridge_legacy_service_names:
+acp_codex_caddy_conf_dir: /etc/caddy/conf.d
-  - acp-bridge
+acp_codex_enable_ufw: false
-  - xworkmate-codex-acp-bridge
+acp_codex_caddyfile_path: /etc/caddy/Caddyfile
-acp_codex_bridge_binary_path: /usr/local/bin/xworkmate-go-core
+acp_codex_manage_caddy: false
 acp_codex_bridge_service_name: xworkmate-bridge
 acp_codex_bridge_local_source_dir: "{{ playbook_dir }}/../xworkmate-bridge"
 acp_codex_bridge_local_build_dir: "{{ playbook_dir }}/.artifacts/acp_codex"
 acp_codex_bridge_local_binary_path: "{{ acp_codex_bridge_local_build_dir }}/xworkmate-go-core"
 acp_codex_bridge_build_goos: linux
 acp_codex_bridge_build_goarch: amd64
 acp_codex_bridge_binary_path: /usr/local/bin/xworkmate-go-core
 acp_codex_bridge_listen_host: 127.0.0.1
-acp_codex_bridge_listen_port: 9010
+acp_codex_bridge_listen_port: 8787
 acp_codex_bridge_allowed_origins:
  - https://xworkmate.svc.plus
  - http://localhost:*
  - http://127.0.0.1:*
 acp_codex_environment:
  CODEX_HOME: "{{ acp_codex_runtime_home }}/.codex"
  OPENAI_API_KEY: "{{ lookup('ansible.builtin.env', 'OPENAI_API_KEY') | default('', true) }}"
  OPENAI_BASE_URL: "{{ lookup('ansible.builtin.env', 'OPENAI_BASE_URL') | default('', true) }}"
  OPENAI_BASE_API_URL: "{{ lookup('ansible.builtin.env', 'OPENAI_BASE_API_URL') | default('', true) }}"
 acp_codex_auth_token: "{{ lookup('ansible.builtin.env', 'INTERNAL_SERVICE_TOKEN') | default('', true) }}"
 acp_codex_public_base_url: https://xworkmate-bridge.svc.plus/codex
-acp_codex_caddyfile_path: /etc/caddy/Caddyfile
+acp_codex_auth_token: "{{ lookup('ansible.builtin.env', 'INTERNAL_SERVICE_TOKEN') | default('', true) }}"
-acp_codex_caddy_conf_dir: /etc/caddy/conf.d
+acp_codex_environment: {}
 acp_codex_manage_caddy: true
 acp_codex_obsolete_caddy_fragment_paths:
  - /etc/caddy/conf.d/acp-server-codex.caddy
-acp_codex_enable_ufw: true
+  - /etc/caddy/conf.d/acp-server.caddy
 acp_codex_packages:
  - caddy
  - bubblewrap
--- a/roles/vhosts/acp_server_codex/handlers/main.yml
+++ b/roles/vhosts/acp_server_codex/handlers/main.yml
@ -4,12 +4,7 @@
    name: caddy
    state: reloaded
- name: Restart codex app server
+- name: Restart acp codex
  ansible.builtin.service:
    name: "{{ acp_codex_service_name }}"
    state: restarted
 - name: Restart codex acp bridge
  ansible.builtin.service:
    name: "{{ acp_codex_bridge_service_name }}"
    state: restarted
--- a/roles/vhosts/acp_server_codex/tasks/config.yml
+++ b/roles/vhosts/acp_server_codex/tasks/config.yml
@ -26,25 +26,6 @@
    owner: root
    group: root
    mode: "0755"
  notify: Restart codex acp bridge
 - name: Stop and disable legacy Codex ACP bridge services
  ansible.builtin.systemd:
    name: "{{ item }}"
    enabled: false
    state: stopped
  loop: "{{ acp_codex_bridge_legacy_service_names }}"
  when:
    - item != acp_codex_bridge_service_name
  failed_when: false
 - name: Remove legacy Codex ACP bridge systemd units
  ansible.builtin.file:
    path: "/etc/systemd/system/{{ item }}.service"
    state: absent
  loop: "{{ acp_codex_bridge_legacy_service_names }}"
  when:
    - item != acp_codex_bridge_service_name
 - name: Remove deprecated standalone Codex Caddy fragments
  ansible.builtin.file:
@ -71,16 +52,7 @@
    owner: root
    group: root
    mode: "0644"
-  notify: Restart codex app server
+  notify: Restart acp codex
 - name: Deploy XWorkmate Codex ACP bridge service
  ansible.builtin.template:
    src: acp-bridge.service.j2
    dest: "/etc/systemd/system/{{ acp_codex_bridge_service_name }}.service"
    owner: root
    group: root
    mode: "0644"
  notify: Restart codex acp bridge
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
@ -101,11 +73,3 @@
    state: started
  when:
    - not ansible_check_mode
 - name: Ensure XWorkmate Codex ACP bridge service is enabled and running
  ansible.builtin.systemd:
    name: "{{ acp_codex_bridge_service_name }}"
    enabled: true
    state: started
  when:
    - not ansible_check_mode
--- a/roles/vhosts/acp_server_codex/tasks/install.yml
+++ b/roles/vhosts/acp_server_codex/tasks/install.yml
@ -8,6 +8,8 @@
    DEBIAN_FRONTEND: noninteractive
    APT_LISTCHANGES_FRONTEND: none
  become: true
  when:
    - acp_codex_packages | default([]) | length > 0
 - name: Ensure Caddy conf directory exists
  ansible.builtin.file:
--- a/roles/vhosts/acp_server_gemini/defaults/main.yml
+++ b/roles/vhosts/acp_server_gemini/defaults/main.yml
@ -1,23 +1,26 @@
 ---
-acp_gemini_service_name: acp-gemini-adapter
+acp_gemini_service_name: acp-gemini
 acp_gemini_service_user: ubuntu
-acp_gemini_service_group: "{{ acp_gemini_service_user }}"
+acp_gemini_service_group: ubuntu
-acp_gemini_home: "/home/{{ acp_gemini_service_user }}"
+acp_gemini_home: /home/ubuntu
-acp_gemini_workdir: "{{ acp_gemini_home }}"
+acp_gemini_workdir: /home/ubuntu/.gemini
-acp_gemini_xdg_config_home: "{{ acp_gemini_home }}/.config"
+acp_gemini_xdg_config_home: /home/ubuntu/.config
-acp_gemini_xdg_state_home: "{{ acp_gemini_home }}/.local/state"
+acp_gemini_xdg_state_home: /home/ubuntu/.local/state
-acp_gemini_config_dir: "{{ acp_gemini_home }}/.gemini"
+acp_gemini_config_dir: /home/ubuntu/.gemini
 acp_gemini_binary_path: /usr/bin/gemini
 acp_gemini_args: --experimental-acp
 acp_gemini_bridge_binary_path: /usr/local/bin/xworkmate-go-core
 acp_gemini_bridge_local_source_dir: "{{ playbook_dir }}/../xworkmate-bridge"
 acp_gemini_bridge_local_build_dir: "{{ playbook_dir }}/.artifacts/acp_gemini"
 acp_gemini_bridge_local_binary_path: "{{ acp_gemini_bridge_local_build_dir }}/xworkmate-go-core"
 acp_gemini_bridge_build_goos: linux
 acp_gemini_bridge_build_goarch: amd64
 acp_gemini_bridge_binary_path: /usr/local/bin/xworkmate-go-core
 acp_gemini_listen_host: 127.0.0.1
 acp_gemini_listen_port: 8791
 acp_gemini_packages: []
 acp_gemini_caddy_conf_dir: /etc/caddy/conf.d
 acp_gemini_enable_ufw: false
 acp_gemini_caddyfile_path: /etc/caddy/Caddyfile
 acp_gemini_allowed_origins:
  - https://xworkmate.svc.plus
  - http://localhost:*
@ -31,5 +34,6 @@ acp_gemini_environment:
  GEMINI_CONFIG_DIR: "{{ acp_gemini_config_dir }}"
  GEMINI_ADAPTER_AUTH_TOKEN: "{{ acp_gemini_auth_token }}"
  ACP_GEMINI_BIN: "{{ acp_gemini_binary_path }}"
-acp_gemini_packages:
+acp_gemini_obsolete_caddy_fragment_paths:
-  - caddy
+  - /etc/caddy/conf.d/acp-server-gemini.caddy
  - /etc/caddy/conf.d/acp-server.caddy
--- a/roles/vhosts/acp_server_gemini/handlers/main.yml
+++ b/roles/vhosts/acp_server_gemini/handlers/main.yml
@ -1,5 +1,5 @@
 ---
- name: Restart gemini acp adapter
+- name: Restart acp gemini
  ansible.builtin.systemd:
    name: "{{ acp_gemini_service_name }}"
    state: restarted
--- a/roles/vhosts/acp_server_gemini/tasks/config.yml
+++ b/roles/vhosts/acp_server_gemini/tasks/config.yml
@ -27,7 +27,7 @@
    owner: "{{ acp_gemini_service_user }}"
    group: "{{ acp_gemini_service_group }}"
    mode: "0755"
-  notify: Restart gemini acp adapter
+  notify: Restart acp gemini
 - name: Deploy Gemini ACP adapter service
  ansible.builtin.template:
@ -36,7 +36,7 @@
    owner: root
    group: root
    mode: "0644"
-  notify: Restart gemini acp adapter
+  notify: Restart acp gemini
 - name: Reload systemd manager configuration for Gemini ACP
  ansible.builtin.systemd:
--- a/roles/vhosts/acp_server_hermes/defaults/main.yml
+++ b/roles/vhosts/acp_server_hermes/defaults/main.yml
@ -0,0 +1,32 @@
 ---
 acp_hermes_service_name: acp-hermes
 acp_hermes_bridge_local_source_dir: "{{ playbook_dir }}/../xworkmate-bridge"
 acp_hermes_bridge_local_build_dir: "{{ playbook_dir }}/.artifacts/acp_hermes"
 acp_hermes_bridge_local_binary_path: "{{ acp_hermes_bridge_local_build_dir }}/xworkmate-go-core"
 acp_hermes_bridge_build_goos: linux
 acp_hermes_bridge_build_goarch: amd64
 acp_hermes_listen_host: 127.0.0.1
 acp_hermes_listen_port: 3920
 acp_hermes_service_user: ubuntu
 acp_hermes_service_group: ubuntu
 acp_hermes_bridge_binary_path: /usr/local/bin/xworkmate-go-core
 acp_hermes_workdir: /home/ubuntu/hermes-agent
 acp_hermes_home: /home/ubuntu
 acp_hermes_binary_path: /home/ubuntu/hermes-agent/venv/bin/hermes
 acp_hermes_args: acp
 acp_hermes_xdg_config_home: /home/ubuntu/.config
 acp_hermes_xdg_state_home: /home/ubuntu/.local/state
 acp_hermes_allowed_origins:
  - https://xworkmate.svc.plus
  - http://localhost:*
  - http://127.0.0.1:*
 acp_hermes_public_base_url: https://xworkmate-bridge.svc.plus/hermes
 acp_hermes_manage_caddy: false
 acp_hermes_auth_token: "{{ lookup('ansible.builtin.env', 'INTERNAL_SERVICE_TOKEN') | default('', true) }}"
 acp_hermes_environment:
  XDG_CONFIG_HOME: "{{ acp_hermes_xdg_config_home }}"
  XDG_STATE_HOME: "{{ acp_hermes_xdg_state_home }}"
  HERMES_ADAPTER_AUTH_TOKEN: "{{ acp_hermes_auth_token }}"
  ACP_HERMES_BIN: "{{ acp_hermes_binary_path }}"
 acp_hermes_packages:
  - caddy
--- a/roles/vhosts/acp_server_hermes/handlers/main.yml
+++ b/roles/vhosts/acp_server_hermes/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Restart acp hermes
  ansible.builtin.systemd:
    name: "{{ acp_hermes_service_name }}"
    state: restarted
    daemon_reload: true
  when:
    - not ansible_check_mode
--- a/roles/vhosts/acp_server_hermes/tasks/config.yml
+++ b/roles/vhosts/acp_server_hermes/tasks/config.yml
@ -0,0 +1,51 @@
 ---
 - name: Ensure local Hermes ACP build directory exists
  ansible.builtin.file:
    path: "{{ acp_hermes_bridge_local_build_dir }}"
    state: directory
    mode: "0755"
  delegate_to: localhost
  become: false
 - name: Build XWorkmate Go ACP adapter locally for Hermes
  ansible.builtin.command:
    cmd: go build -o "{{ acp_hermes_bridge_local_binary_path }}" .
    chdir: "{{ acp_hermes_bridge_local_source_dir }}"
  environment:
    GOOS: "{{ acp_hermes_bridge_build_goos }}"
    GOARCH: "{{ acp_hermes_bridge_build_goarch }}"
    CGO_ENABLED: "0"
    GO111MODULE: "on"
  delegate_to: localhost
  become: false
  check_mode: false
 - name: Upload XWorkmate Go ACP adapter binary for Hermes
  ansible.builtin.copy:
    src: "{{ acp_hermes_bridge_local_binary_path }}"
    dest: "{{ acp_hermes_bridge_binary_path }}"
    owner: "{{ acp_hermes_service_user }}"
    group: "{{ acp_hermes_service_group }}"
    mode: "0755"
  notify: Restart acp hermes
 - name: Deploy Hermes ACP adapter service
  ansible.builtin.template:
    src: hermes-acp-adapter.service.j2
    dest: "/etc/systemd/system/{{ acp_hermes_service_name }}.service"
    owner: root
    group: root
    mode: "0644"
  notify: Restart acp hermes
 - name: Reload systemd manager configuration for Hermes ACP
  ansible.builtin.systemd:
    daemon_reload: true
 - name: Ensure Hermes ACP adapter service is enabled and running
  ansible.builtin.systemd:
    name: "{{ acp_hermes_service_name }}"
    enabled: true
    state: started
  when:
    - not ansible_check_mode
--- a/roles/vhosts/acp_server_hermes/tasks/install.yml
+++ b/roles/vhosts/acp_server_hermes/tasks/install.yml
@ -0,0 +1,10 @@
 ---
 - name: Install Hermes ACP packages
  ansible.builtin.apt:
    name: "{{ acp_hermes_packages }}"
    state: present
    update_cache: true
  environment:
    DEBIAN_FRONTEND: noninteractive
    APT_LISTCHANGES_FRONTEND: none
  become: true
--- a/roles/vhosts/acp_server_hermes/tasks/main.yml
+++ b/roles/vhosts/acp_server_hermes/tasks/main.yml
@ -0,0 +1,18 @@
 ---
 - name: Install Hermes ACP prerequisites
  ansible.builtin.import_tasks: install.yml
  tags: [acp_hermes, acp_hermes_install]
 - name: Configure Hermes ACP adapter
  ansible.builtin.import_tasks: config.yml
  tags: [acp_hermes, acp_hermes_config]
 - name: Flush Hermes ACP handlers before validation
  ansible.builtin.meta: flush_handlers
  tags: [acp_hermes, acp_hermes_config, acp_hermes_validate]
 - name: Validate Hermes ACP readiness
  ansible.builtin.import_tasks: validate.yml
  tags: [acp_hermes, acp_hermes_validate]
  when:
    - not ansible_check_mode
--- a/roles/vhosts/acp_server_hermes/tasks/validate.yml
+++ b/roles/vhosts/acp_server_hermes/tasks/validate.yml
@ -0,0 +1,37 @@
 ---
 - name: Check Hermes ACP adapter listener
  ansible.builtin.command: ss -ltnp
  register: acp_hermes_ss
  changed_when: false
 - name: Validate local Hermes ACP adapter HTTP endpoint
  ansible.builtin.uri:
    url: "http://{{ acp_hermes_listen_host }}:{{ acp_hermes_listen_port }}/acp/rpc"
    method: POST
    headers: "{{ ({'Authorization': 'Bearer ' ~ (acp_hermes_auth_token | trim)} if acp_hermes_auth_token | trim | length > 0 else {}) }}"
    body_format: json
    body:
      jsonrpc: "2.0"
      id: 1
      method: acp.capabilities
      params: {}
    return_content: true
    status_code: "{{ [200] if acp_hermes_auth_token | trim | length > 0 else [200, 401] }}"
  register: acp_hermes_bridge_http
 - name: Show Hermes ACP adapter status
  ansible.builtin.command: systemctl status "{{ acp_hermes_service_name }}" --no-pager
  register: acp_hermes_status
  changed_when: false
  failed_when: false
 - name: Show Hermes ACP validation summary
  ansible.builtin.debug:
    msg:
      - "Hermes public base URL: {{ acp_hermes_public_base_url }}"
      - "Preferred WebSocket endpoint: {{ acp_hermes_public_base_url }}/acp"
      - "Compatibility HTTP RPC endpoint: {{ acp_hermes_public_base_url }}/acp/rpc"
      - "Hermes adapter listener: {{ acp_hermes_listen_host }}:{{ acp_hermes_listen_port }}"
      - "Service: {{ acp_hermes_status.stdout | default('N/A') }}"
      - "Socket: {{ acp_hermes_ss.stdout | default('N/A') }}"
      - "Bridge capabilities HTTP: {{ acp_hermes_bridge_http.content | default('N/A') }}"
--- a/roles/vhosts/acp_server_hermes/templates/hermes-acp-adapter.service.j2
+++ b/roles/vhosts/acp_server_hermes/templates/hermes-acp-adapter.service.j2
@ -0,0 +1,25 @@
 [Unit]
 Description=XWorkmate Hermes ACP adapter
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 User={{ acp_hermes_service_user }}
 Group={{ acp_hermes_service_group }}
 WorkingDirectory={{ acp_hermes_workdir }}
 Environment=HOME={{ acp_hermes_home }}
 Environment=TERM=xterm-256color
 Environment=HERMES_ADAPTER_LISTEN_ADDR={{ acp_hermes_listen_host }}:{{ acp_hermes_listen_port }}
 Environment=HERMES_ADAPTER_BIN={{ acp_hermes_binary_path }}
 Environment=HERMES_ADAPTER_ARGS={{ acp_hermes_args }}
 Environment=HERMES_ADAPTER_ALLOWED_ORIGINS={{ acp_hermes_allowed_origins | join(',') }}
 {% for key, value in acp_hermes_environment | dictsort %}
 Environment={{ key }}={{ value }}
 {% endfor %}
 ExecStart={{ acp_hermes_bridge_binary_path }} hermes-acp-adapter --listen {{ acp_hermes_listen_host }}:{{ acp_hermes_listen_port }} --hermes-bin {{ acp_hermes_binary_path }} --hermes-args "{{ acp_hermes_args }}"
 Restart=always
 RestartSec=2
 [Install]
 WantedBy=multi-user.target
--- a/roles/vhosts/acp_server_opencode/defaults/main.yml
+++ b/roles/vhosts/acp_server_opencode/defaults/main.yml
@ -1,35 +1,35 @@
 ---
-acp_opencode_service_name: opencode-acp
+acp_opencode_service_name: acp-opencode
 acp_opencode_runtime_user: ubuntu
 acp_opencode_runtime_group: "{{ acp_opencode_runtime_user }}"
 acp_opencode_runtime_home: "/home/{{ acp_opencode_runtime_user }}"
 acp_opencode_service_user: ubuntu
 acp_opencode_service_group: ubuntu
 acp_opencode_home: /home/ubuntu
 acp_opencode_workdir: /home/ubuntu/.opencode
 acp_opencode_listen_host: 127.0.0.1
 acp_opencode_listen_port: 38992
-acp_opencode_bridge_service_name: acp-bridge-opencode
+acp_opencode_packages: []
-acp_opencode_bridge_binary_path: /usr/local/bin/xworkmate-go-core
+acp_opencode_caddy_conf_dir: /etc/caddy/conf.d
 acp_opencode_enable_ufw: false
 acp_opencode_caddyfile_path: /etc/caddy/Caddyfile
 acp_opencode_manage_caddy: false
 acp_opencode_bridge_service_name: xworkmate-bridge
 acp_opencode_bridge_local_source_dir: "{{ playbook_dir }}/../xworkmate-bridge"
 acp_opencode_bridge_local_build_dir: "{{ playbook_dir }}/.artifacts/acp_opencode"
 acp_opencode_bridge_local_binary_path: "{{ acp_opencode_bridge_local_build_dir }}/xworkmate-go-core"
 acp_opencode_bridge_build_goos: linux
 acp_opencode_bridge_build_goarch: amd64
 acp_opencode_bridge_binary_path: /usr/local/bin/xworkmate-go-core
 acp_opencode_bridge_listen_host: 127.0.0.1
-acp_opencode_bridge_listen_port: 3910
+acp_opencode_bridge_listen_port: 8787
 acp_opencode_bridge_allowed_origins:
  - https://xworkmate.svc.plus
  - http://localhost:*
  - http://127.0.0.1:*
 acp_opencode_auth_token: "{{ lookup('ansible.builtin.env', 'INTERNAL_SERVICE_TOKEN') | default('', true) }}"
 acp_opencode_bridge_disabled_binary_path: /nonexistent/acp-disabled
 acp_opencode_bridge_opencode_binary_path: /usr/bin/opencode
 acp_opencode_public_base_url: https://xworkmate-bridge.svc.plus/opencode
-acp_opencode_expected_content_type: text/html
+acp_opencode_auth_token: "{{ lookup('ansible.builtin.env', 'INTERNAL_SERVICE_TOKEN') | default('', true) }}"
-acp_opencode_expected_body_marker: opencode-theme-id
+acp_opencode_environment: {}
 acp_opencode_caddyfile_path: /etc/caddy/Caddyfile
 acp_opencode_caddy_conf_dir: /etc/caddy/conf.d
 acp_opencode_manage_caddy: true
 acp_opencode_obsolete_caddy_fragment_paths:
  - /etc/caddy/conf.d/acp-server-opencode.caddy
-acp_opencode_enable_ufw: true
+  - /etc/caddy/conf.d/acp-server.caddy
 acp_opencode_packages:
  - caddy
--- a/roles/vhosts/acp_server_opencode/handlers/main.yml
+++ b/roles/vhosts/acp_server_opencode/handlers/main.yml
@ -4,12 +4,7 @@
    name: caddy
    state: reloaded
- name: Restart opencode acp
+- name: Restart acp opencode
  ansible.builtin.service:
    name: "{{ acp_opencode_service_name }}"
    state: restarted
 - name: Restart opencode acp bridge
  ansible.builtin.service:
    name: "{{ acp_opencode_bridge_service_name }}"
    state: restarted
--- a/roles/vhosts/acp_server_opencode/tasks/config.yml
+++ b/roles/vhosts/acp_server_opencode/tasks/config.yml
@ -26,7 +26,6 @@
    owner: root
    group: root
    mode: "0755"
  notify: Restart opencode acp bridge
 - name: Ensure OpenCode runtime directories exist
  ansible.builtin.file:
@ -65,16 +64,7 @@
    owner: root
    group: root
    mode: "0644"
-  notify: Restart opencode acp
+  notify: Restart acp opencode
 - name: Deploy OpenCode ACP bridge service
  ansible.builtin.template:
    src: acp-bridge.service.j2
    dest: "/etc/systemd/system/{{ acp_opencode_bridge_service_name }}.service"
    owner: root
    group: root
    mode: "0644"
  notify: Restart opencode acp bridge
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
@ -95,11 +85,3 @@
    state: started
  when:
    - not ansible_check_mode
 - name: Ensure OpenCode ACP bridge service is enabled and running
  ansible.builtin.systemd:
    name: "{{ acp_opencode_bridge_service_name }}"
    enabled: true
    state: started
  when:
    - not ansible_check_mode
--- a/roles/vhosts/acp_vhosts/defaults/main.yml
+++ b/roles/vhosts/acp_vhosts/defaults/main.yml
@ -4,7 +4,7 @@ acp_vhosts_caddyfile_path: /etc/caddy/Caddyfile
 acp_vhosts_caddy_conf_dir: /etc/caddy/conf.d
 acp_vhosts_caddy_fragment_path: /etc/caddy/conf.d/acp-server.caddy
 acp_vhosts_codex_upstream_host: 127.0.0.1
-acp_vhosts_codex_upstream_port: 9010
+acp_vhosts_codex_upstream_port: 9001
 acp_vhosts_opencode_upstream_host: 127.0.0.1
 acp_vhosts_opencode_upstream_port: 3910
 acp_vhosts_obsolete_caddy_fragment_paths:
--- a/roles/vhosts/gateway_openclaw/defaults/main.yml
+++ b/roles/vhosts/gateway_openclaw/defaults/main.yml
@ -6,7 +6,7 @@ xworkmate_bridge_domain: xworkmate-bridge.svc.plus
 xworkmate_bridge_public_base_url: https://xworkmate-bridge.svc.plus
 xworkmate_bridge_codex_upstream_host: 127.0.0.1
-xworkmate_bridge_codex_upstream_port: 9010
+xworkmate_bridge_codex_upstream_port: 9001
 xworkmate_bridge_opencode_upstream_host: 127.0.0.1
 xworkmate_bridge_opencode_upstream_port: 3910
 xworkmate_bridge_gemini_upstream_host: 127.0.0.1
--- a/roles/vhosts/gateway_openclaw/templates/xworkmate-bridge-site.caddy.j2
+++ b/roles/vhosts/gateway_openclaw/templates/xworkmate-bridge-site.caddy.j2
@ -1,52 +1,47 @@
-{{ xworkmate_bridge_service_domain }} {
+{{ xworkmate_bridge_domain }} {
-  encode zstd gzip
+    # 1. Authentication middleware
-
+    @unauthorized {
-  @root path /
+        not header Authorization "Bearer {{ xworkmate_bridge_auth_token | default('uTvryFvAbz6M5sRtmTaSTQY6otLZ95hneBsWqXu+35I=') }}"
  handle @root {
    respond "xworkmate-bridge is running" 200
  }
  # 统一鉴权拦截 (Bearer Token)
  @unauthorized {
    not path / /api/ping
    not header Authorization "Bearer {{ xworkmate_bridge_auth_token }}"
  }
  handle @unauthorized {
    respond "Unauthorized" 401
  }
  # Codex Provider
  handle_path /acp-server/codex* {
    reverse_proxy {{ xworkmate_bridge_codex_upstream_host }}:{{ xworkmate_bridge_codex_upstream_port }} {
      flush_interval -1
    }
-  }
+    handle @unauthorized {
-
+        header Content-Type "application/json"
-  # OpenCode Provider
+        respond `{"jsonrpc":"2.0","error":{"code":-32001,"message":"unauthorized"},"type":"res","ok":false}` 401
  handle_path /acp-server/opencode* {
    reverse_proxy {{ xworkmate_bridge_opencode_upstream_host }}:{{ xworkmate_bridge_opencode_upstream_port }} {
      flush_interval -1
    }
  }
-  # Gemini Adapter
+    # 2. Root status endpoint
-  handle_path /acp-server/gemini* {
+    handle_path / {
-    reverse_proxy {{ xworkmate_bridge_gemini_upstream_host }}:{{ xworkmate_bridge_gemini_upstream_port }} {
+        reverse_proxy 127.0.0.1:8787
      flush_interval -1
    }
  }
-  # OpenClaw Gateway (支持 WebSocket)
+    # 3. Unified ACP protocol entrance (Supplement)
-  handle_path /gateway/openclaw* {
+    handle_path /acp* {
-    reverse_proxy {{ xworkmate_bridge_openclaw_upstream_host }}:{{ xworkmate_bridge_openclaw_upstream_port }} {
+        reverse_proxy 127.0.0.1:8787
      flush_interval -1
    }
  }
-  # 默认回退到 Managed Bridge Core
+    # 4. ACP Server redirections (Corrected to True Sources)
-  handle {
+    handle_path /acp-server/codex* {
-    reverse_proxy {{ xworkmate_bridge_listen_host }}:{{ xworkmate_bridge_listen_port }} {
+        reverse_proxy 127.0.0.1:9001
-      flush_interval -1
+    }
    handle_path /acp-server/opencode* {
        reverse_proxy 127.0.0.1:38992
    }
    handle_path /acp-server/gemini* {
        reverse_proxy 127.0.0.1:8791
    }
    handle_path /acp-server/hermes* {
        reverse_proxy 127.0.0.1:3920
    }
    # 5. Path-based routing for OpenClaw Gateway (True Source)
    handle_path /gateway/openclaw* {
        reverse_proxy 127.0.0.1:18789
    }
    # 6. API endpoints
    handle_path /api* {
        reverse_proxy 127.0.0.1:8787
    }
    log {
        output file /var/log/caddy/xworkmate-bridge.log
    }
  }
 }
--- a/roles/vhosts/xworkmate_bridge/README.md
+++ b/roles/vhosts/xworkmate_bridge/README.md
@ -12,6 +12,7 @@ The active implementation currently lives in:
 - [`roles/vhosts/acp_codex`](/Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks/roles/vhosts/acp_codex)
 - [`roles/vhosts/acp_opencode`](/Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks/roles/vhosts/acp_opencode)
 - [`roles/vhosts/acp_gemini`](/Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks/roles/vhosts/acp_gemini)
 - [`roles/vhosts/acp_server_hermes`](/Users/shenlan/workspaces/cloud-neutral-toolkit/playbooks/roles/vhosts/acp_server_hermes)
 This README is the umbrella operations note for that deployed stack.
@ -68,6 +69,7 @@ Base domains:
 - `https://xworkmate-bridge.svc.plus/codex`
 - `https://xworkmate-bridge.svc.plus/opencode`
 - `https://xworkmate-bridge.svc.plus/gemini`
 - `https://xworkmate-bridge.svc.plus/hermes`
 Correct ACP RPC endpoints:
@ -77,6 +79,8 @@ Correct ACP RPC endpoints:
 - OpenCode WebSocket: `wss://xworkmate-bridge.svc.plus/opencode/acp`
 - Gemini HTTP RPC: `https://xworkmate-bridge.svc.plus/gemini/acp/rpc`
 - Gemini WebSocket: `wss://xworkmate-bridge.svc.plus/gemini/acp`
 - Hermes HTTP RPC: `https://xworkmate-bridge.svc.plus/hermes/acp/rpc`
 - Hermes WebSocket: `wss://xworkmate-bridge.svc.plus/hermes/acp`
 Note:
@ -93,6 +97,7 @@ With `Authorization: Bearer $INTERNAL_SERVICE_TOKEN`:
 - `https://xworkmate-bridge.svc.plus/codex/acp/rpc` -> `200`
 - `https://xworkmate-bridge.svc.plus/opencode/acp/rpc` -> `200`
 - `https://xworkmate-bridge.svc.plus/gemini/acp/rpc` -> `200`
 - `https://xworkmate-bridge.svc.plus/hermes/acp/rpc` -> `200`
 Bridge public root:
--- a/roles/vhosts/xworkmate_bridge/defaults/main.yml
+++ b/roles/vhosts/xworkmate_bridge/defaults/main.yml
@ -29,5 +29,14 @@ xworkmate_bridge_public_base_url: https://xworkmate-bridge.svc.plus
 xworkmate_bridge_service_domain: xworkmate-bridge.svc.plus
 xworkmate_bridge_service_public_base_url: https://xworkmate-bridge.svc.plus
 # Internal 真源映射 (Final Source of Truth)
 xworkmate_bridge_openclaw_url: "ws://127.0.0.1:18789/"
 xworkmate_bridge_codex_rpc_url: "http://127.0.0.1:9001/acp/rpc"
 xworkmate_bridge_opencode_rpc_url: "http://127.0.0.1:38992/acp/rpc"
 xworkmate_bridge_gemini_rpc_url: "http://127.0.0.1:8791/acp/rpc"
 xworkmate_bridge_hermes_rpc_url: "http://127.0.0.1:3920/acp/rpc"
 xworkmate_bridge_packages:
  - caddy
 # Legacy services to clean up
--- a/roles/vhosts/xworkmate_bridge/handlers/main.yml
+++ b/roles/vhosts/xworkmate_bridge/handlers/main.yml
@ -1,5 +1,11 @@
 ---
 - name: Reload bridge
-  ansible.builtin.systemd:
+  ansible.builtin.command: >-
-    name: acp-bridge-codex # Or whichever service manages the main bridge process
+    docker compose
-    state: restarted
+    --project-name {{ xworkmate_bridge_project_name }}
    -f {{ xworkmate_bridge_compose_file }}
    restart bridge
  args:
    chdir: "{{ xworkmate_bridge_base_dir }}"
  when:
    - not ansible_check_mode
--- a/roles/vhosts/xworkmate_bridge/tasks/main.yml
+++ b/roles/vhosts/xworkmate_bridge/tasks/main.yml
@ -61,21 +61,6 @@
    chdir: "{{ xworkmate_bridge_base_dir }}"
  changed_when: false
 - name: Stop legacy xworkmate-bridge systemd service
  ansible.builtin.systemd:
    name: "{{ xworkmate_bridge_service_name }}"
    enabled: false
    state: stopped
    daemon_reload: true
  failed_when: false
  when:
    - not ansible_check_mode
 - name: Remove legacy xworkmate-bridge systemd unit
  ansible.builtin.file:
    path: "/etc/systemd/system/{{ xworkmate_bridge_service_name }}.service"
    state: absent
 - name: Pull xworkmate-bridge image
  ansible.builtin.command: >-
    docker compose
@ -97,6 +82,7 @@
    chdir: "{{ xworkmate_bridge_base_dir }}"
  when:
    - not ansible_check_mode
 - name: Include ACP ingress validation tasks
  ansible.builtin.import_tasks: validate.yml
  tags: [xworkmate_bridge, xworkmate_bridge_validate]
--- a/roles/vhosts/xworkmate_bridge/tasks/validate.yml
+++ b/roles/vhosts/xworkmate_bridge/tasks/validate.yml
@ -48,6 +48,17 @@
  when:
    - deploy_acp_gemini | bool
 - name: Check Hermes route through unified ACP ingress
  ansible.builtin.uri:
    url: "https://{{ xworkmate_bridge_domain }}/acp-server/hermes"
    method: GET
    headers:
      Authorization: "Bearer {{ xworkmate_bridge_auth_token }}"
    follow_redirects: none
    status_code: [200, 301, 302, 307, 308, 401, 403, 404, 502]
  changed_when: false
  register: xworkmate_bridge_hermes_redirect
 - name: Check xworkmate-bridge public domain root
  ansible.builtin.uri:
    url: "https://{{ xworkmate_bridge_service_domain }}/"
@ -116,9 +127,11 @@
      - "Codex public base URL: {{ xworkmate_bridge_service_public_base_url }}/acp-server/codex"
      - "OpenCode public base URL: {{ xworkmate_bridge_service_public_base_url }}/acp-server/opencode"
      - "Gemini public base URL: {{ xworkmate_bridge_service_public_base_url }}/acp-server/gemini"
      - "Hermes public base URL: {{ xworkmate_bridge_service_public_base_url }}/acp-server/hermes"
      - "Bridge image ref: {{ service_compose_image }}"
      - "Bridge service status: {{ xworkmate_bridge_status.stdout | default('N/A') }}"
      - "Codex route: /acp-server/codex -> {{ xworkmate_bridge_codex_upstream_host }}:{{ xworkmate_bridge_codex_upstream_port }}"
      - "OpenCode route: /acp-server/opencode -> {{ xworkmate_bridge_opencode_upstream_host }}:{{ xworkmate_bridge_opencode_upstream_port }}"
      - "Gemini route: /acp-server/gemini -> {{ xworkmate_bridge_gemini_upstream_host }}:{{ xworkmate_bridge_gemini_upstream_port }}"
      - "Hermes route: /acp-server/hermes -> {{ xworkmate_bridge_gemini_upstream_host }}:{{ xworkmate_bridge_gemini_upstream_port }}"
      - "OpenClaw route: /gateway/openclaw -> {{ xworkmate_bridge_openclaw_upstream_host }}:{{ xworkmate_bridge_openclaw_upstream_port }}"
--- a/roles/vhosts/xworkmate_bridge/templates/config.yaml.j2
+++ b/roles/vhosts/xworkmate_bridge/templates/config.yaml.j2
@ -8,6 +8,7 @@ upstream:
  codex_url: "{{ xworkmate_bridge_codex_rpc_url | default('https://xworkmate-bridge.svc.plus/acp-server/codex/acp/rpc') }}"
  opencode_url: "{{ xworkmate_bridge_opencode_rpc_url | default('https://xworkmate-bridge.svc.plus/acp-server/opencode/acp/rpc') }}"
  gemini_url: "{{ xworkmate_bridge_gemini_rpc_url | default('https://xworkmate-bridge.svc.plus/acp-server/gemini/acp/rpc') }}"
  hermes_url: "{{ xworkmate_bridge_hermes_rpc_url | default('https://xworkmate-bridge.svc.plus/acp-server/hermes/acp/rpc') }}"
 # Server orchestration settings
 bridge: