DEV Community: CTRLNODE.AI The latest articles on DEV Community by CTRLNODE.AI (@ctrlnodeai). https://dev.to/ctrlnodeai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3946913%2F6220fab0-ea7b-4f94-a371-0c5d87d20ef1.png DEV Community: CTRLNODE.AI https://dev.to/ctrlnodeai en Building an outbound-only WebSocket bridge for local AI agents CTRLNODE.AI Sat, 23 May 2026 00:25:34 +0000 https://dev.to/ctrlnodeai/building-an-outbound-only-websocket-bridge-for-local-ai-agents-2o6g https://dev.to/ctrlnodeai/building-an-outbound-only-websocket-bridge-for-local-ai-agents-2o6g <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6onw7h59eo0wi17pv17y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6onw7h59eo0wi17pv17y.png" alt="Building an outbound-only WebSocket bridge for local AI agents" width="799" height="336"></a><br> I work with AI agents every day. Claude Code, Copilot, Gemini CLI — running locally, with access to my filesystem, my repos, my tools. The results are genuinely good. But there's a wall: <strong>the moment you leave your desk, you lose control</strong>. There's no real way to kick off an agent task from your phone, monitor a long-running pipeline from a coffee shop, or schedule something to run overnight.</p> <p>Every solution I found had the same trade-off: you either open a port, install a tunnel daemon, or upload your code to someone's cloud. None of those felt right for infrastructure that has access to your local filesystem.</p> <p>So I built <a href="https://ctrlnode.ai" rel="noopener noreferrer">CTRL NODE</a> — a browser-based control plane for local AI agents. The key piece is a process called the <strong>Bridge</strong>: a lightweight Node.js daemon that runs on your machine and connects to the cloud without ever accepting an inbound connection.</p> <p>This article is about how that works, why the design choices matter, and what the actual code looks like.</p> <h2> Why outbound-only? </h2> <p>The naive approach is to expose your local agent runtime on a port and let the cloud reach in. Tools like ngrok do exactly this — they create a reverse proxy to your localhost. It works, but it has real costs:</p> <ul> <li> <strong>Open port = attack surface.</strong> Every ngrok tunnel is a publicly reachable endpoint. If auth breaks, someone else can talk to your agent.</li> <li> <strong>Third-party traffic relay.</strong> Your prompts, file paths, and agent responses travel through ngrok's infrastructure.</li> <li> <strong>Daemon complexity.</strong> You're running persistent infrastructure that you didn't write and can't audit easily.</li> </ul> <p>The alternative: flip the connection direction. The Bridge connects <em>out</em> to the cloud. The cloud pushes commands <em>down</em> that connection. The local machine never listens on a public port.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your machine ctrlnode.ai cloud ────────────────────────────────────────────────── Bridge ──── ws:// connect() ────▶ WebSocket server ◀─── {action: "run_task", ...} ──────────── ───── stdout/stderr events ──────────────▶ </code></pre> </div> <p>This is the same pattern used by IoT devices, CI agents (like the GitHub Actions runner), and remote desktop clients. The cloud doesn't initiate — it waits.</p> <h2> The connection lifecycle </h2> <p>Here's the core of <code>websocket.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">connect</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nf">buildWsUrl</span><span class="p">();</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebSocket</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nf">buildAuthHeaders</span><span class="p">()</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">open</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">Bridge connected to SAAS</span><span class="dl">"</span><span class="p">);</span> <span class="nf">flushPendingQueue</span><span class="p">();</span> <span class="nf">startHeartbeat</span><span class="p">();</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="na">data</span><span class="p">:</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nx">RawData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nf">toString</span><span class="p">())</span> <span class="k">as</span> <span class="nx">InboundMessage</span><span class="p">;</span> <span class="nf">handleInboundMessage</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">close</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="na">code</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">stopHeartbeat</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nf">isAuthError</span><span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">reason</span><span class="p">.</span><span class="nf">toString</span><span class="p">()))</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Auth error (</span><span class="p">${</span><span class="nx">code</span><span class="p">}</span><span class="s2">), retrying in </span><span class="p">${</span><span class="nx">AUTH_RETRY_MS</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">}</span><span class="s2">s`</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">connect</span><span class="p">,</span> <span class="nx">AUTH_RETRY_MS</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">scheduleReconnect</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="na">err</span><span class="p">:</span> <span class="nb">Error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`WebSocket error: </span><span class="p">${</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Three things to notice:</p> <ol> <li><p><strong>Auth errors get a longer timeout.</strong> If the server returns 1008 (Policy Violation) or 1002, or the reason string contains <code>"401"</code>/<code>"403"</code>/<code>"Unauthorized"</code>, we wait 30 seconds before retrying. Hammering an auth-rejected endpoint is pointless and noisy.</p></li> <li><p><strong>Normal closes trigger exponential backoff.</strong> <code>scheduleReconnect()</code> uses a standard backoff so a transient network blip doesn't flood logs.</p></li> <li><p><strong>On open, we flush the queue.</strong> More on this below.</p></li> </ol> <h2> Keeping the connection alive through load balancers </h2> <p>Cloud load balancers will kill idle WebSocket connections after 30–60 seconds. The fix is a heartbeat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">HEARTBEAT_INTERVAL_MS</span> <span class="o">=</span> <span class="mi">20</span><span class="nx">_000</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">heartbeatTimer</span><span class="p">:</span> <span class="nx">NodeJS</span><span class="p">.</span><span class="nx">Timeout</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">startHeartbeat</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="nx">heartbeatTimer</span> <span class="o">=</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">sendToSaas</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">heartbeat</span><span class="dl">"</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">});</span> <span class="p">},</span> <span class="nx">HEARTBEAT_INTERVAL_MS</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">stopHeartbeat</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">heartbeatTimer</span><span class="p">)</span> <span class="p">{</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">heartbeatTimer</span><span class="p">);</span> <span class="nx">heartbeatTimer</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Every 20 seconds, a small message goes up. The server acknowledges it (or doesn't — we don't care, the goal is just to keep TCP active). This is cheap and it works reliably with AWS ALB, Cloudflare, and most managed WebSocket proxies.</p> <h2> Buffering outbound messages during disconnection </h2> <p>When the Bridge is reconnecting, agent output still arrives. If we drop those events, the user watching a pipeline in their browser sees a gap in the live log. The solution is a small in-memory queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">PENDING_QUEUE_MAX</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">pendingQueue</span><span class="p">:</span> <span class="nx">OutboundMessage</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">sendToSaas</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="nx">OutboundMessage</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ws</span> <span class="o">||</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">!==</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nx">OPEN</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">pendingQueue</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="nx">PENDING_QUEUE_MAX</span><span class="p">)</span> <span class="p">{</span> <span class="nx">pendingQueue</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">message</span><span class="p">));</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">flushPendingQueue</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">while </span><span class="p">(</span><span class="nx">pendingQueue</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">pendingQueue</span><span class="p">.</span><span class="nf">shift</span><span class="p">()</span><span class="o">!</span><span class="p">;</span> <span class="nx">ws</span><span class="o">!</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">msg</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Cap at 100 messages, flush on reconnect. Simple, and it handles the common case of a 2–3 second reconnect window without losing events.</p> <h2> Multi-agent routing via the filesystem </h2> <p>Here's the part that took the most thought: how do you run multiple agents — Claude, Copilot, Gemini — on the same machine, routing tasks to the right one?</p> <p>The answer isn't a routing layer in the WebSocket code. It's the <strong>filesystem</strong>.</p> <p>Each pipeline task gets an isolated directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>workspace/ tasks/ task-abc123/ input/ TASK.md ← instructions for the agent context-files/ ← any files the user attached output/ TASK.md ← agent writes progress here artifacts/ ← anything the agent produces </code></pre> </div> <p>The Bridge watches these directories. When a <code>run_task</code> command arrives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">case</span> <span class="dl">"</span><span class="s2">run_task</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">taskId</span><span class="p">,</span> <span class="nx">agentProvider</span><span class="p">,</span> <span class="nx">workspacePath</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">payload</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="nf">getProvider</span><span class="p">(</span><span class="nx">agentProvider</span><span class="p">);</span> <span class="c1">// Claude | Copilot | Gemini | ...</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">executeTask</span><span class="p">(</span><span class="nx">taskId</span><span class="p">,</span> <span class="nx">workspacePath</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Each provider implementation knows how to invoke its agent CLI with the right arguments and working directory. Claude Code gets <code>claude --print</code> with the task directory. Copilot gets its own invocation. They never share context — each runs in its own subprocess, reading from and writing to its own task folder.</p> <p>This means:</p> <ul> <li> <strong>No prompt pollution.</strong> Agent A's context doesn't leak into Agent B.</li> <li> <strong>Parallel execution.</strong> Two agents can run simultaneously without coordination overhead.</li> <li> <strong>Auditability.</strong> Every task leaves a paper trail on disk.</li> <li> <strong>Portability.</strong> The cloud control plane never sees your file contents. It only sees task metadata and status events.</li> </ul> <h2> Provider selection and gating </h2> <p>Some actions only make sense for certain providers. The message handler maintains an explicit set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">OPENCLAW_ONLY_ACTIONS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">"</span><span class="s2">openclaw_configure</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">openclaw_stream_chunk</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">openclaw_reset_context</span><span class="dl">"</span><span class="p">,</span> <span class="p">]);</span> <span class="kd">function</span> <span class="nf">handleInboundMessage</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="nx">InboundMessage</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">OPENCLAW_ONLY_ACTIONS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">action</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">activeProvider</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">openclaw</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Received </span><span class="p">${</span><span class="nx">message</span><span class="p">.</span><span class="nx">action</span><span class="p">}</span><span class="s2"> but provider is </span><span class="p">${</span><span class="nx">activeProvider</span><span class="p">}</span><span class="s2"> — ignoring`</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// ... dispatch to handler</span> <span class="p">}</span> </code></pre> </div> <p>This prevents misconfigured cloud deployments from accidentally sending the wrong command type to the wrong agent. The Bridge is the last line of defense before your filesystem.</p> <h2> The startup sequence </h2> <p><code>index.ts</code> ties it together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">providers</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createProviders</span><span class="p">(</span><span class="nx">config</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multi</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">MultiProvider</span><span class="p">(</span><span class="nx">providers</span><span class="p">);</span> <span class="nf">connect</span><span class="p">();</span> <span class="c1">// start WebSocket, non-blocking</span> <span class="kd">const</span> <span class="nx">keepaliveInterval</span> <span class="o">=</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{},</span> <span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="mi">30</span><span class="p">);</span> <span class="nx">keepaliveInterval</span><span class="p">.</span><span class="nf">unref</span><span class="p">();</span> <span class="c1">// don't prevent process exit</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">,</span> <span class="nx">gracefulShutdown</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">,</span> <span class="nx">gracefulShutdown</span><span class="p">);</span> <span class="k">await</span> <span class="nx">multi</span><span class="p">.</span><span class="nf">runSyncAgents</span><span class="p">();</span> <span class="c1">// provider-specific background sync</span> <span class="p">}</span> </code></pre> </div> <p>The <code>keepaliveInterval</code> trick (<code>unref()</code>) is worth noting: it keeps the event loop alive when nothing else is pending, but doesn't prevent a clean <code>SIGINT</code>/<code>SIGTERM</code> from shutting the process down. Without it, <code>connect()</code> is async and Node exits immediately after starting.</p> <h2> What this enables </h2> <p>With the Bridge running, the CTRL NODE web app can:</p> <ul> <li> <strong>Launch tasks</strong> against any connected agent from any browser, anywhere</li> <li> <strong>Watch live output</strong> streamed back over the same WebSocket</li> <li> <strong>Schedule routines</strong> — the cloud scheduler wakes the Bridge at the configured time, no cron job needed on the local machine</li> <li> <strong>Run multi-step pipelines</strong> where each node can use a different agent</li> </ul> <p>None of your code leaves your machine. The cloud only sees: "task started", "task output line", "task completed". The actual file contents, prompts, and agent context stay local.</p> <h2> Why open source? </h2> <p>The Bridge is MIT licensed (<a href="https://github.com/ctrlnode-ai/ctrlnode" rel="noopener noreferrer">github.com/ctrlnode-ai/ctrlnode</a>). You can read every line of the WebSocket handler, every message type, every auth check. If you don't trust the binary, build it yourself.</p> <p>The rest of CTRL NODE — the cloud scheduler, the web app, the real-time pipeline view — runs as a hosted service. The Bridge is the trust boundary: it's the piece that runs with access to your local system, and it needs to be auditable.</p> <h2> Try it </h2> <p>If you work with AI agents and want a way to control them remotely without sacrificing privacy:</p> <ol> <li>Install the Bridge: <code>npm install -g @ctrlnode/bridge &amp;&amp; ctrlnode bridge start</code> </li> <li>Sign up at <a href="https://ctrlnode.ai" rel="noopener noreferrer">ctrlnode.ai</a> — it's free</li> <li>Open the web app from anywhere and connect</li> </ol> <p>Questions, issues, or PRs: <a href="https://github.com/ctrlnode-ai/ctrlnode" rel="noopener noreferrer">github.com/ctrlnode-ai/ctrlnode</a> or reply here.</p> <p><em>Javier Vil — Creator of CTRL NODE</em></p> ai websocket node typescript