From 80463235b00d405ecdff903b8a7c8b3a33153d0c Mon Sep 17 00:00:00 2001
From: Vantz Stockwell <vstockwell@predator-mini.local>
Date: Sat, 14 Mar 2026 05:23:02 -0400
Subject: [PATCH] fix(rdp): VERSION echo + guacd host networking for overlay
 reach
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Echo VERSION_X_Y_Z args back to guacd in CONNECT handshake
- Set guacd to network_mode: host so it can reach RDP targets on
  NetBird/Tailscale overlay networks (100.64.x.x)
- App container uses host.docker.internal to reach guacd on host
- Add diagnostic logging for guacd→browser instruction relay

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/src/rdp/guacamole.service.ts | 6 +++++-
 backend/src/rdp/rdp.gateway.ts       | 9 ++++++---
 docker-compose.yml                   | 5 ++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/backend/src/rdp/guacamole.service.ts b/backend/src/rdp/guacamole.service.ts
index da6d7d7..de60cc8 100644
--- a/backend/src/rdp/guacamole.service.ts
+++ b/backend/src/rdp/guacamole.service.ts
@@ -170,7 +170,11 @@ export class GuacamoleService {
     };
 
     // Build values array matching the exact order guacd expects
-    const values = argNames.map((name) => paramMap[name] ?? '');
+    // VERSION_X_Y_Z args must be echoed back as-is
+    const values = argNames.map((name) => {
+      if (name.startsWith('VERSION_')) return name;
+      return paramMap[name] ?? '';
+    });
     return this.encode('connect', ...values);
   }
 
diff --git a/backend/src/rdp/rdp.gateway.ts b/backend/src/rdp/rdp.gateway.ts
index e5a1754..9f32eee 100644
--- a/backend/src/rdp/rdp.gateway.ts
+++ b/backend/src/rdp/rdp.gateway.ts
@@ -91,10 +91,13 @@ export class RdpGateway {
 
     // Pipe guacd → browser: wrap raw Guacamole instruction bytes in JSON envelope
     socket.on('data', (data: Buffer) => {
+      const instruction = data.toString('utf-8');
+      // Log first few instructions or errors for diagnostics
+      if (instruction.includes('error') || instruction.includes('ready') || instruction.includes('nop')) {
+        this.logger.log(`[guacd→browser] ${instruction.substring(0, 200)}`);
+      }
       if (client.readyState === 1 /* WebSocket.OPEN */) {
-        client.send(
-          JSON.stringify({ type: 'guac', instruction: data.toString('utf-8') }),
-        );
+        client.send(JSON.stringify({ type: 'guac', instruction }));
       }
     });
 
diff --git a/docker-compose.yml b/docker-compose.yml
index fdbf72f..078ff53 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,8 +6,10 @@ services:
       DATABASE_URL: postgresql://wraith:${DB_PASSWORD}@postgres:5432/wraith
       JWT_SECRET: ${JWT_SECRET}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}
-      GUACD_HOST: guacd
+      GUACD_HOST: host.docker.internal
       GUACD_PORT: "4822"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     depends_on:
       postgres:
         condition: service_healthy
@@ -17,6 +19,7 @@ services:
 
   guacd:
     image: guacamole/guacd
+    network_mode: host
     restart: always
 
   postgres: