fix(windows): make tightvnc startup deterministic#689
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed June 25, 2026, 9:17 AM ET / 13:17 UTC. Summary Reproducibility: no. high-confidence live reproduction was established in this review. The PR body shows the firewall prompt and current source starts user-session TightVNC after installing with firewall exceptions disabled, but I did not run an Azure Windows lease. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Mantis proof suggestion Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Keep the deterministic startup and registry retry work, but preserve tunnel-only VNC in both bootstrap generators and require live Windows proof for prompt suppression, authentication, and direct-VNC rejection before merge. Do we have a high-confidence way to reproduce the issue? No high-confidence live reproduction was established in this review. The PR body shows the firewall prompt and current source starts user-session TightVNC after installing with firewall exceptions disabled, but I did not run an Azure Windows lease. Is this the best way to solve the issue? No. Deterministic startup is the right direction, but the current firewall rule is not the narrowest maintainable fix because it can violate the tunnel-only VNC boundary. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 0ec69d642764. Label changesLabel justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
|
Superseded by 184979d. Current Verified on current
Thanks @fcoury-oai for isolating the modal and startup race. The report was useful; the safer service-mode fix landed independently while this PR was open. |
Why
Azure Windows desktop leases can show the Windows Firewall prompt for
TightVNC Serverthe first time the per-user VNC process starts. That modal blocks the visible desktop and can sit in front of automation that is trying to inspect or drive the target application.The VNC bootstrap should make the desktop transport ready without depending on a human click or on best-effort registry timing.
What Changed
Crabbox-TightVNC-LoopbackWindows Firewall allow rule fortvnserver.exeon TCP port5900before the user-session VNC process is scheduled or started.PasswordandControlPasswordregistry values instead of assuming they are immediately available after install.CrabboxUserVNCtask so the task definition is explicit about interactive logon and highest run level.How to Test
Build the local CLI from this branch:
Acquire a Windows desktop lease using the Azure provider.
Connect to the lease through
crabbox vnc.Confirm that the desktop is reachable through VNC without a Windows Security firewall prompt for
TightVNC Server.Confirm that the VNC server still requires VNC authentication and only listens on the expected loopback-forwarded path.
Targeted tests:
go test ./internal/cli -run TestAWSUserDataWindowsProfile -count=1npm test -- bootstrap.test.tsfromworker/Documentation
No developers.openai.com/codex documentation update is needed.