Objective

• Prevent disclosure of LAN IPs and internal hostnames in CI logs and recordings
• Preserve a real runner → SUT boundary
• Ensure failures remain fast and diagnosable
• Operate without modifying application code

Topology

MacBook Pro (MBP)	Hosts the SUT: Ubuntu VM (VirtualBox) + Docker Compose services. VM networking is NAT. Published ports are bound to loopback only.
MacBook Pro (MBP)	Local test runner (manual / dev execution).
New Mac mini	GitLab CI runner only. No VirtualBox. No direct LAN access to the SUT.

Network contract

Web	http://127.0.0.1:3000
API	http://127.0.0.1:3001/api
VM SSH (host access)	ssh -p 2222 sut@127.0.0.1 (MBP only)

Loopback addresses are intentional. CI access requires an SSH tunnel.

Commands

Start services (inside VM)

cd ~/conduit
docker compose up -d
docker compose ps

Open SSH tunnel (CI runner → MBP)

ssh -N \
  -L 3000:127.0.0.1:3000 \
  -L 3001:127.0.0.1:3001 \
  -p 2222 sut@<MBP_HOSTNAME_OR_IP>

Runner preflight

nc -z 127.0.0.1 3000
nc -z 127.0.0.1 3001

curl -fsS http://127.0.0.1:3000/ >/dev/null
curl -fsS http://127.0.0.1:3001/api/tags >/dev/null

CI variables

WEB_BASE_URL=http://127.0.0.1:3000
API_BASE_URL=http://127.0.0.1:3001/api

Failure modes

Tunnel not running

Symptoms: connection refused on 127.0.0.1:3000/3001 from CI runner.

ps aux | grep "ssh -N" | grep -v grep

SUT not running

Symptoms: tunnel is active but HTTP checks fail.

ssh -p 2222 sut@127.0.0.1
docker compose ps

Incorrect target used

Symptoms: CI attempts to reach non-loopback addresses.

echo "$WEB_BASE_URL"
echo "$API_BASE_URL"

Exit criteria

• Recording is complete
• VM network adapter switched from NAT to Bridged
• Loopback-only constraints removed
• CI no longer requires SSH tunneling
• Name-based routing (e.g., sut.testlab) restored