wrapper: ENABLE_STZ gate, rename phases, drop unused forward-proxy probe

- Add ENABLE_STZ env var. Default is the prior behavior (disable STZ
  during boot, restore after hot path is up). ENABLE_STZ=false or 0
  keeps STZ disabled for the lifetime of the container.
- Rename the boot phases by purpose: browser (X server, dbus,
  chromedriver, chromium, optional mutter/neko) and identity (envoy
  bootstrap render + kernel-images-api restart). Ready log line is now
  'ready in T (browser=… identity=…; cdp=… …)'.
- Drop the forward-proxy probe. The 8888 listener was a private
  Chromium-fork feature; stock Chromium never binds it, so the probe
  was always timing out at 60s on envoy-disabled boots.
- Fix shared/envoy/init-envoy.sh: branch on supervisor status so cold
  boots 'start' envoy instead of 'restart' (which fails under
  errexit on a stopped service); re-renders still 'restart'.
- Replace the handwritten atoi with strconv.Atoi and promote the
  anonymous probe struct to a named type.

Author: sjmiller609

server/cmd/wrapper/chromium.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -78,8 +79,8 @@ func dismissNoSandboxWarning() {
 	}
 	width := parts[0]
 	x := width
-	if w := atoi(width); w > 30 {
-		x = fmt.Sprintf("%d", w-30)
+	if w, err := strconv.Atoi(width); err == nil && w > 30 {
+		x = strconv.Itoa(w - 30)
 	}
 	target := "New Tab - Chromium"
 	deadline := time.Now().Add(30 * time.Second)
@@ -109,13 +110,3 @@ func dismissNoSandboxWarning() {
 		"-d", body).Run()
 }
 
-func atoi(s string) int {
-	n := 0
-	for _, c := range s {
-		if c < '0' || c > '9' {
-			return 0
-		}
-		n = n*10 + int(c-'0')
-	}
-	return n
-}

server/cmd/wrapper/main.go

@@ -56,7 +56,8 @@ func profileName(p profile) string {
 func main() {
 	t0 := time.Now()
 	prof := detectProfile()
-	logf("starting wrapper (profile=%s)", profileName(prof))
+	stzManaged := scaleToZeroManaged()
+	logf("starting wrapper (profile=%s stz=%s)", profileName(prof), stzMode(stzManaged))
 
 	// Register signal handling early so a SIGTERM/SIGINT during the
 	// seconds-long startup window queues into the channel instead of
@@ -72,9 +73,13 @@ func main() {
 		_ = exec.Command("mount", "-t", "tmpfs", "tmpfs", "/dev/shm").Run()
 	}
 
-	// Disable scale-to-zero for the duration of startup; restored on exit.
+	// Disable scale-to-zero for the duration of startup. When ENABLE_STZ is
+	// false/0 the caller wants STZ off permanently, so we don't re-enable on
+	// exit or once the hot path is up.
 	disableScaleToZero()
-	defer enableScaleToZero()
+	if stzManaged {
+		defer enableScaleToZero()
+	}
 
 	// Headless ships a default CHROMIUM_FLAGS list (headless+stealth flags)
 	// when callers don't set one. Headful's defaults are caller-supplied.
@@ -141,13 +146,13 @@ func main() {
 	}()
 	waitForSocket(supervisorSock, 10*time.Second)
 
-	// Phase A: identity-free services. Chromium itself doesn't read any
-	// per-instance identity envs — it just needs the envoy CA cert (baked
-	// into the image at build time, see shared/envoy/bake-certs.sh) so it
-	// trusts the forward proxy on first start with no runtime cert work to
-	// wait on. chromium-launcher internally waits for the X server before
-	// exec'ing chromium, so we start it in parallel with the X server to
-	// overlap chromium-launcher's preamble with display startup.
+	// Browser phase: identity-free services. Chromium itself doesn't read
+	// any per-instance identity envs — it just needs the envoy CA cert
+	// (baked into the image at build time, see shared/envoy/bake-certs.sh)
+	// so it trusts the forward proxy on first start with no runtime cert
+	// work to wait on. chromium-launcher internally waits for the X server
+	// before exec'ing chromium, so we start it in parallel with the X
+	// server to overlap chromium-launcher's preamble with display startup.
 	// chromedriver listens on 9225 immediately and only attaches to
 	// chromium on session creation, so it can come up alongside everything.
 	// mutter has no internal X-wait, so it's started after the X server is
@@ -163,7 +168,7 @@ func main() {
 	// parallel with chromium.
 	_ = os.WriteFile(filepath.Join(supervisordLogD, "chromium"), nil, 0o644)
 
-	phaseAStart := time.Now()
+	browserStart := time.Now()
 	startAll(xServer, "dbus", "chromedriver", "chromium")
 	waitForX(defaultDisplay, 20*time.Second)
 	waitForSocket(dbusSocket, 10*time.Second)
@@ -174,7 +179,7 @@ func main() {
 		}
 		startAll(post...)
 	}
-	phaseADone := time.Now()
+	browserDone := time.Now()
 
 	// FORK HOOK:
 	//   When this binary runs as a forked snapshot restore, the per-fork
@@ -185,33 +190,35 @@ func main() {
 	//     1. Block on the host-pushed env bundle (vsock socket, virtio-fs
 	//        drop file, or whatever transport the control plane settles on).
 	//     2. Apply the bundle to this process's environ via os.Setenv so
-	//        Phase C below picks them up via the existing $VAR expansion in
-	//        init-envoy.sh and the supervisorctl-spawned services inherit
-	//        them.
-	//     3. Phase C uses `supervisorctl restart envoy` (idempotent — start
-	//        on first boot, stop+start on a re-render after fork) so a
-	//        restored snapshot drops its stale identity cleanly.
+	//        the identity phase below picks them up via the existing $VAR
+	//        expansion in init-envoy.sh and the supervisorctl-spawned
+	//        services inherit them.
+	//     3. The identity phase uses `supervisorctl restart envoy`
+	//        (idempotent — start on first boot, stop+start on a re-render
+	//        after fork) so a restored snapshot drops its stale identity
+	//        cleanly.
 	//   Boot path keeps running through unchanged: the wait simply no-ops
 	//   when there's no fork bundle to receive.
 
-	// Phase C: identity-bound. Render envoy bootstrap with INST_NAME/JWT/etc
-	// and (re)start envoy + kernel-images-api. Both services use `restart`
-	// so the same code path works for boot (start a stopped service) and
-	// post-fork (stop+start to force a re-read of refreshed envs).
-	phaseCStart := time.Now()
+	// Identity phase: identity-bound services. Render envoy bootstrap with
+	// INST_NAME/JWT/etc and (re)start envoy + kernel-images-api. Both
+	// services use `restart` so the same code path works for boot (start a
+	// stopped service) and post-fork (stop+start to force a re-read of
+	// refreshed envs).
+	identityStart := time.Now()
 	if isExecutable("/usr/local/bin/init-envoy.sh") {
 		runStreamFatal("envoy-init", "/usr/local/bin/init-envoy.sh")
 	}
 	restartAll("kernel-images-api")
-	phaseCDone := time.Now()
+	identityDone := time.Now()
 
 	// Wait for the union of caller-visible ready signals. Each probe runs
 	// concurrently and logs as soon as its target is reachable.
 	probeDurations := waitAllReady(t0, webrtc)
-	logf("ready in %s (phaseA=%s phaseC=%s; %s)",
+	logf("ready in %s (browser=%s identity=%s; %s)",
 		since(t0),
-		phaseADone.Sub(phaseAStart).Truncate(time.Millisecond),
-		phaseCDone.Sub(phaseCStart).Truncate(time.Millisecond),
+		browserDone.Sub(browserStart).Truncate(time.Millisecond),
+		identityDone.Sub(identityStart).Truncate(time.Millisecond),
 		formatProbeDurations(probeDurations))
 
 	// Cosmetic + non-critical services come up off the hot path. Headless has
@@ -225,8 +232,11 @@ func main() {
 		}()
 	}
 
-	// Re-enable scale-to-zero now that the hot path is up.
-	enableScaleToZero()
+	// Re-enable scale-to-zero now that the hot path is up — unless the caller
+	// asked to keep it disabled via ENABLE_STZ=false/0.
+	if stzManaged {
+		enableScaleToZero()
+	}
 
 	// Block on supervisord; container exits when it does.
 	if err := supCmd.Wait(); err != nil {
@@ -235,37 +245,23 @@ func main() {
 }
 
 // waitAllReady gates on all caller-visible ready signals concurrently:
-//   - CDP   : HTTP /json/version on the public CDP port (proves api proxy is wired
-//             through to chromium's DevTools server)
-//   - cd    : TCP on chromedriver's internal port 9225 (api on 9224 is bound when
-//             api itself is up, which CDP readiness already implies)
-//   - proxy : TCP on chromium's --forward-proxy-port (8888)
-//   - neko  : TCP on neko's HTTP port (8080), only when ENABLE_WEBRTC=true
-//   - envoy : TCP on envoy's listener (3128), only when envoy is enabled
+//   - cdp          : HTTP /json/version on the public CDP port (proves api proxy is
+//                    wired through to chromium's DevTools server)
+//   - chromedriver : TCP on chromedriver's internal port 9225 (api on 9224 is bound
+//                    when api itself is up, which CDP readiness already implies)
+//   - neko         : TCP on neko's HTTP port (8080), only when ENABLE_WEBRTC=true
+//   - envoy        : TCP on envoy's listener (3128), only when envoy is enabled
 func waitAllReady(t0 time.Time, webrtc bool) map[string]time.Duration {
 	chromePort := os.Getenv("CHROME_PORT")
-	if chromePort == "" {
-		chromePort = "9222"
-	}
-	probes := []struct {
-		name string
-		fn   func() bool
-	}{
+	probes := []probe{
 		{"cdp", func() bool { return httpProbeOK("http://127.0.0.1:" + chromePort + "/json/version") }},
 		{"chromedriver", func() bool { return tcpOK("127.0.0.1", "9225") }},
-		{"forward-proxy", func() bool { return tcpOK("127.0.0.1", "8888") }},
 	}
 	if webrtc {
-		probes = append(probes, struct {
-			name string
-			fn   func() bool
-		}{"neko", func() bool { return tcpOK("127.0.0.1", "8080") }})
+		probes = append(probes, probe{"neko", func() bool { return tcpOK("127.0.0.1", "8080") }})
 	}
 	if envoyEnabled() {
-		probes = append(probes, struct {
-			name string
-			fn   func() bool
-		}{"envoy", func() bool { return tcpOK("127.0.0.1", "3128") }})
+		probes = append(probes, probe{"envoy", func() bool { return tcpOK("127.0.0.1", "3128") }})
 	}
 
 	type result struct {
@@ -301,11 +297,16 @@ func waitAllReady(t0 time.Time, webrtc bool) map[string]time.Duration {
 	return durations
 }
 
+type probe struct {
+	name string
+	fn   func() bool
+}
+
 // formatProbeDurations renders waitAllReady's per-probe ready times in a stable
 // order so log lines diff cleanly across runs. Probes that never succeeded are
 // omitted (they'd already have logged a WARNING separately).
 func formatProbeDurations(d map[string]time.Duration) string {
-	order := []string{"cdp", "chromedriver", "forward-proxy", "neko", "envoy"}
+	order := []string{"cdp", "chromedriver", "neko", "envoy"}
 	parts := make([]string, 0, len(d))
 	for _, name := range order {
 		if v, ok := d[name]; ok {

server/cmd/wrapper/system.go

@@ -17,6 +17,21 @@ func writeScaleToZero(c string) {
 	_ = os.WriteFile(scaleToZeroFile, []byte(c), 0o644)
 }
 
+// scaleToZeroManaged reports whether the wrapper should re-enable scale-to-zero
+// once boot completes. Default is true (preserves the previous behavior); set
+// ENABLE_STZ=false or 0 to keep STZ disabled for the lifetime of the container.
+func scaleToZeroManaged() bool {
+	v := os.Getenv("ENABLE_STZ")
+	return v != "false" && v != "0"
+}
+
+func stzMode(managed bool) string {
+	if managed {
+		return "managed"
+	}
+	return "off"
+}
+
 func prepareUserDirs(asRoot bool) {
 	if asRoot {
 		for _, d := range []string{"/tmp", "/var/log", supervisordLogD, "/home/kernel", "/home/kernel/user-data"} {

shared/envoy/init-envoy.sh

@@ -35,10 +35,18 @@ sed -e "s|{INST_NAME}|$inst_esc|g" \
     /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
 
 echo "[envoy-init] Starting Envoy via supervisord"
-# `restart` is start-or-stop+start: on first boot this just starts envoy,
-# on a re-render (e.g. post-fork env refresh) it forces a clean re-read
-# of the rendered bootstrap. Either way no callers see stale identity.
-supervisorctl -c /etc/supervisor/supervisord.conf restart envoy
+# Envoy's supervisor program has autostart=false, so on cold boot it's in
+# the STOPPED state. supervisorctl's `restart` is implemented as stop+start
+# and reports a non-zero exit when the stop sees a service that isn't
+# running — which under `set -o errexit` would abort the boot path. Branch
+# on the current state so cold boots only `start`, while re-renders (e.g.
+# post-fork env refresh) `restart` to force a clean re-read of the
+# rendered bootstrap.
+if supervisorctl -c /etc/supervisor/supervisord.conf status envoy | grep -q RUNNING; then
+  supervisorctl -c /etc/supervisor/supervisord.conf restart envoy
+else
+  supervisorctl -c /etc/supervisor/supervisord.conf start envoy
+fi
 
 # Readiness (port 3128 reachable) is probed by the Go wrapper's
 # waitAllReady alongside CDP/chromedriver, so this script returns as soon