Nushell-via-hero_proc integration + admin access control #8

New issue

Closed

opened 2026-04-26 12:16:44 +00:00 by mahmoud · 1 comment

mahmoud commented 2026-04-26 12:16:44 +00:00

Owner

Copy link

Overview

Wire hero_codescalers features to execute through nushell Actions/Jobs in hero_proc, and lock the dashboard behind an IPv6 admin whitelist stored in hero_proc secrets.

Child Issues

• #9 — Verify hero_proc executes nushell scripts correctly as Action → Job
• #10 — Tag jobs/actions for bulk cleanup (prevent unbounded growth)
• #11 — Configure ADMIN_SECRETS IPv6 whitelist so only admins reach hero_codescalers
• #12 — Verify hero_proc + hero_router + hero_codescalers start together cleanly

## Overview Wire hero_codescalers features to execute through nushell Actions/Jobs in hero_proc, and lock the dashboard behind an IPv6 admin whitelist stored in hero_proc secrets. ## Child Issues - [ ] #9 — Verify hero_proc executes nushell scripts correctly as Action → Job - [ ] #10 — Tag jobs/actions for bulk cleanup (prevent unbounded growth) - [ ] #11 — Configure ADMIN_SECRETS IPv6 whitelist so only admins reach hero_codescalers - [ ] #12 — Verify hero_proc + hero_router + hero_codescalers start together cleanly

mahmoud referenced this issue 2026-04-26 12:20:43 +00:00

Verify hero_proc + hero_router + hero_codescalers start together cleanly #12

mahmoud referenced this issue 2026-04-26 12:20:59 +00:00

Configure ADMIN_SECRETS IPv6 whitelist for dashboard access control #11

mahmoud referenced this issue 2026-04-26 12:21:10 +00:00

Tag jobs and actions for bulk cleanup in hero_proc #10

mahmoud referenced this issue 2026-04-26 12:21:20 +00:00

Verify hero_proc executes nushell scripts as Action → Job #9

mahmoud self-assigned this 2026-04-26 16:33:15 +00:00

mahmoud added this to the ACTIVE project 2026-04-26 16:33:26 +00:00

mahmoud referenced this issue from a commit 2026-04-27 05:59:24 +00:00

fix(service_codescalers): require --root, refuse per-user start

mahmoud referenced this issue from lhumina_code/hero_skills 2026-04-27 06:00:48 +00:00

fix(service_codescalers): require --root, refuse per-user start #140

mahmoud referenced this issue 2026-04-27 17:09:03 +00:00

Verify hero_proc + hero_router + hero_codescalers start together cleanly #12

mahmoud commented 2026-04-27 17:09:58 +00:00

Author

Owner

Copy link

Closed — all four children done

Child	What landed	Where
#9 Verify nushell pipeline	Verified end-to-end + bug fix (nu → nushell interpreter mapping; anyhow chain unwrap in rpc_handler)	PR #13 (merged)
#10 Tag jobs/actions for bulk cleanup	jobs.cleanup RPC + CLI subcommand; admin-gated; dry_run; predicate filters on kind/target/actor/older_than_ms; 7 unit tests	PR #14 (merged)
#11 Configure ADMIN_SECRETS whitelist	Configured + verified; documented architectural finding that the gate matches TCP source IP (= origin host TUN for cross-host mycelium calls), so ADMIN_SECRETS is "admin hosts" not "admin users"	No code (config + docs only)
#12 Verify proc + router + codescalers boot together	Verified clean three-process startup on kristof4. PR #140 (hero_skills, merged) enforces service_codescalers --root and refuses per-user start	hero_skills PR #140

Bonus fixes surfaced during this work

• hero_proc PR #50 (merged): spec.tags were not being copied onto Job.tags at job.create time, so JobSummary.tags was always null and tag filters returned nothing. One-line fix in rpc/job.rs handle_create. Without this, jobs.cleanup (#10) couldn't find anything to clean.
• hero_codescalers PR #15 (open): disk widget + disk_total_gb / disk_used_gb / disk_pct in the stats RPC and sidebar UI. Surfaced while looking at the system-stats panel during #12 verification.

End-to-end behaviour now

On kristof4:

• proc + router + codescalers boot cleanly.
• ADMIN_SECRETS gate enforces at the router accept loop; only the four kristof host TUNs reach the codescalers admin TCP listener.
• Triggering a feature (e.g. service.start service_router) enqueues a tagged hero_proc job; it shows up in the codescalers Jobs tab via jobs.list.
• jobs.cleanup --dry-run enumerates matching jobs and their unique action specs; without --dry-run it bulk-deletes both. hero_proc row count drops accordingly.
• Sidebar shows live mem / cpu / disk every 30 s.

Closing.

## Closed — all four children done | Child | What landed | Where | |-------|-------------|-------| | #9 Verify nushell pipeline | Verified end-to-end + bug fix (`nu` → `nushell` interpreter mapping; anyhow chain unwrap in `rpc_handler`) | PR #13 (merged) | | #10 Tag jobs/actions for bulk cleanup | `jobs.cleanup` RPC + CLI subcommand; admin-gated; `dry_run`; predicate filters on kind/target/actor/older_than_ms; 7 unit tests | PR #14 (merged) | | #11 Configure ADMIN_SECRETS whitelist | Configured + verified; documented architectural finding that the gate matches TCP source IP (= origin host TUN for cross-host mycelium calls), so `ADMIN_SECRETS` is "admin hosts" not "admin users" | No code (config + docs only) | | #12 Verify proc + router + codescalers boot together | Verified clean three-process startup on kristof4. PR #140 (hero_skills, merged) enforces `service_codescalers --root` and refuses per-user start | hero_skills PR #140 | ## Bonus fixes surfaced during this work - **hero_proc PR #50 (merged):** `spec.tags` were not being copied onto `Job.tags` at `job.create` time, so `JobSummary.tags` was always `null` and tag filters returned nothing. One-line fix in `rpc/job.rs` `handle_create`. Without this, `jobs.cleanup` (#10) couldn't find anything to clean. - **hero_codescalers PR #15 (open):** disk widget + `disk_total_gb` / `disk_used_gb` / `disk_pct` in the `stats` RPC and sidebar UI. Surfaced while looking at the system-stats panel during #12 verification. ## End-to-end behaviour now On kristof4: - proc + router + codescalers boot cleanly. - ADMIN_SECRETS gate enforces at the router accept loop; only the four kristof host TUNs reach the codescalers admin TCP listener. - Triggering a feature (e.g. `service.start service_router`) enqueues a tagged hero_proc job; it shows up in the codescalers Jobs tab via `jobs.list`. - `jobs.cleanup --dry-run` enumerates matching jobs and their unique action specs; without `--dry-run` it bulk-deletes both. `hero_proc` row count drops accordingly. - Sidebar shows live mem / cpu / disk every 30 s. Closing.

mahmoud closed this issue 2026-04-27 17:09:58 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

development_users_ui_jobs_e2e

development_users_ui_mgmt

development_iroh_kvs

master

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

ACTIVE

Assignees

Clear assignees

No assignees

mahmoud

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_codescalers#8

No description provided.