From bb36fc4486176c6a4b67b504dc322a8f094089bb Mon Sep 17 00:00:00 2001
From: mkorwel <matt.korwel@gmail.com>
Date: Sun, 15 Mar 2026 13:18:15 -0700
Subject: [PATCH] feat(offload): implement internal-only network architecture
 and disable external IPs

---
 .gemini/skills/offload/scripts/fleet.ts | 2 ++
 .gemini/skills/offload/scripts/setup.ts | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.gemini/skills/offload/scripts/fleet.ts b/.gemini/skills/offload/scripts/fleet.ts
index 4cfe292240..8fe5c8eabd 100644
--- a/.gemini/skills/offload/scripts/fleet.ts
+++ b/.gemini/skills/offload/scripts/fleet.ts
@@ -6,6 +6,7 @@
 import { spawnSync } from 'child_process';
 import path from 'path';
 import fs from 'fs';
+import os from 'os';
 
 const PROJECT_ID = 'gemini-cli-team-quota';
 const USER = process.env.USER || 'mattkorwel';
@@ -80,6 +81,7 @@ runcmd:
     '--metadata', `enable-oslogin=TRUE${sshKeyMetadata ? `,ssh-keys=${sshKeyMetadata}` : ''}`,
     '--labels', `owner=${USER.replace(/[^a-z0-9_-]/g, '_')},type=offload-worker`,
     '--tags', `gcli-offload-${USER}`,
+    '--network-interface', 'network-tier=PREMIUM,no-address',
     '--scopes', 'https://www.googleapis.com/auth/cloud-platform'
   ], { stdio: 'inherit' });
 
diff --git a/.gemini/skills/offload/scripts/setup.ts b/.gemini/skills/offload/scripts/setup.ts
index fe14c28817..eea19757b7 100644
--- a/.gemini/skills/offload/scripts/setup.ts
+++ b/.gemini/skills/offload/scripts/setup.ts
@@ -42,7 +42,7 @@ export async function runSetup(env: NodeJS.ProcessEnv = process.env) {
   const useContainer = await confirm('Use Container-Native mode (Container-Optimized OS)?');
 
   console.log(`🔍 Verifying access and finding worker ${targetVM}...`);
-  const statusCheck = spawnSync(`gcloud compute instances describe ${targetVM} --project ${projectId} --zone ${zone} --format="json(status,networkInterfaces[0].accessConfigs[0].natIP)"`, { shell: true });
+  const statusCheck = spawnSync(`gcloud compute instances describe ${targetVM} --project ${projectId} --zone ${zone} --format="json(status,networkInterfaces[0].networkIP)"`, { shell: true });
   
   let instanceData: any;
   try {
@@ -55,7 +55,7 @@ export async function runSetup(env: NodeJS.ProcessEnv = process.env) {
   }
 
   const status = instanceData.status;
-  const publicIp = instanceData.networkInterfaces[0].accessConfigs[0].natIP;
+  const internalIp = instanceData.networkInterfaces[0].networkIP;
 
   if (status !== 'RUNNING') {
     console.log(`⚠️ Worker is ${status}. Starting it for initialization...`);
@@ -63,12 +63,12 @@ export async function runSetup(env: NodeJS.ProcessEnv = process.env) {
   }
 
   // 1. Configure Fast-Path SSH Alias
-  console.log(`\n🚀 Configuring Fast-Path SSH Alias...`);
+  console.log(`\n🚀 Configuring Fast-Path SSH Alias (Internal IP)...`);
   const sshAlias = 'gcli-worker';
   const sshConfigPath = path.join(os.homedir(), '.ssh/config');
   const sshEntry = `
 Host ${sshAlias}
-    HostName ${publicIp}
+    HostName ${internalIp}
     IdentityFile ~/.ssh/google_compute_engine
     User ${env.USER || 'mattkorwel'}_google_com
     CheckHostIP no