lhumina_code/hero_demo

Fork 0

[Phase 2] Codify demo-VM hotfixes into upstream code — clean runbook, no manual steps #36

New issue

Open

opened 2026-04-28 12:21:28 +00:00 by mik-tf · 0 comments

mik-tf commented

2026-04-28 12:21:28 +00:00

Owner

Phase 2 — codify demo-VM hotfixes into upstream code (clean runbook, no manual steps)

Goal

Get the Hero OS nu-shell deploy to a state where a fresh VM redeploys via the runbook in ~1.5 hours with no manual hotfix steps — just terraform, bootstrap, install, optional auth, optional snapshot.

Phase 1 (merge code-bearing PRs) is complete:

✅ hero_office #3 (2dbc543) — OnlyOffice integration
✅ hero_agent #8 + #9 (5bea19b) — MCP tool name sanitizer
✅ hero_os #91 closed (review thread for already-merged Biz fix 000922b)

Runbook captured at hero_demo/docs/ops/DEPLOYMENT_NU_HERO_OS.md. Method captured at hero_demo/docs/ops/FIX_TRIAGE.md.

This issue tracks Phase 2 — converting the runbook's manual fixup sections (§4.5, §10, §11, §12) into upstream code in hero_skills, hero_proxy, and hero_demo.

Tier 1 — small, mechanical (`hero_skills` bootstrap; ~1 day total, all parallel)

Single-file changes to hero_skills/install/ bootstrap or apt config. Each is independently mergeable.

hero_skills/development_mik_apt_deps — add libclang-dev cmake python3 python3-openpyxl jq sqlite3 to bootstrap apt list. Closes home#170, home#172
hero_skills/development_mik_uv_install — add curl -LsSf https://astral.sh/uv/install.sh \| sh for uv (used by hero_code's python_exec). Closes home#170
hero_skills/development_mik_chrome_install — Google Chrome .deb apt source (Ubuntu's chromium-browser is a snap wrapper that fails on TF Grid flists). Closes home#177
hero_skills/development_mik_onnxruntime — wget+tar both ONNX runtimes: 1.23.2 → /usr/local/onnxruntime/, 1.24.x → /usr/local/onnxruntime-1.24/. Closes home#162, partially home#173
hero_skills/development_mik_libreoffice — apt install libreoffice-core libreoffice-impress libreoffice-writer libreoffice-calc (used for at-click PDF preview generation). Closes home#178 prerequisite
hero_skills/development_mik_init_sh_env — install.sh reads HERO_ROOTDIR env var and skips the interactive prompt when set. Closes home#164

After Tier 1: runbook §2 (Bootstrap the VM) collapses from 6 manual steps to one bash bootstrap.sh invocation.

Tier 2 — medium, requires nu-shell module understanding (`hero_skills` services + `hero_proxy`; ~1.5 days, ordered)

Touches the actual nu-shell service modules. Each has internal ordering dependencies (Docker before OnlyOffice; ONNX install before embedder/voice env).

hero_skills/development_mik_service_set_after_install — service_install_all.nu calls service.set for every action it registers, eliminating the herodemo_set_services.py workaround. Closes home#167
hero_skills/development_mik_embedder_env — service_embedder.nu sets ORT_LIB_LOCATION=/usr/local/onnxruntime/lib, LD_LIBRARY_PATH=/usr/local/onnxruntime/lib, EMBEDDER_MODELS=/data/home/driver/hero/var/embedder/models. Closes home#166
hero_skills/development_mik_voice_env — service_voice.nu sets ORT_LIB_LOCATION=/usr/local/onnxruntime-1.24/lib, LD_LIBRARY_PATH=/usr/local/onnxruntime-1.24/lib, ORT_PREFER_DYNAMIC_LINK=1. Closes home#173 (deploy-side)
hero_skills/development_mik_office_env — service_office.nu sets ONLYOFFICE_JWT_SECRET (from generated secret or env), OO_SERVER_URL (templated from public hostname), OO_UPSTREAM_BASE=http://10.1.2.2:8088, CONNECTOR_EXTERNAL_URL=http://10.1.2.2:9990. Closes home#174 (deploy-side)
hero_skills/development_mik_docker_btrfs — bootstrap installs Docker, sets /etc/docker/daemon.json with data-root: /data/docker + storage-driver: btrfs, starts via nohup dockerd (no systemd on TF Grid). Closes home#181
hero_skills/development_mik_onlyoffice_install — new service_onlyoffice.nu module: docker pull onlyoffice/documentserver:latest, docker run -d with JWT secret, registers a hero_proc supervisor entry. Depends on development_mik_docker_btrfs. Closes home#174 end-to-end
hero_skills/development_mik_basic_auth — optional nginx + htpasswd setup driven by HERO_AUTH_MODE=basic env var (and credentials via HERO_AUTH_BASIC_USER/HERO_AUTH_BASIC_PASS). Closes home#182 (basic mode)
hero_proxy/development_mik_runbook_setup — installer-side helper that runs proxy domain add ... --auth-mode <mode> based on HERO_AUTH_MODE env (oauth/optional/bearer). Closes home#182 (canonical mode)

After Tier 2: runbook §4.5 (action env patches), §10 (Docker), §11 (OnlyOffice), §12 (auth) all become flags on the install pipeline.

Tier 3 — content seeding (`hero_demo`; ~0.5 days)

hero_demo/development_mik_seed_data — commit sample files to hero_demo/data/seed/{office,diagrams,books}/:
- 3 .vsdx from Apache POI (already on VM, ready to extract)
- 5 .pptx (Geomind-themed, pandoc-generated)
- 5 .xlsx (openpyxl-generated)
- companion .pdf for each (libreoffice-generated)
- libraries.txt for hero_books
- install-time hook in service_office.nu / service_books.nu to cp into webdav/<context>/
Closes home#183

After Tier 3: runbook §7 (Seed content) becomes "automatic at install time."

After Tier 1 + 2 + 3 — the simplified runbook

# 1. Provision (terraform)
cd hero_demo/deploy/single-vm
cp envs/herodemo/tf/credentials.auto.tfvars.example envs/<NAME>/tf/credentials.auto.tfvars
# edit with node_id, gateway_node, cpu, memory, rootfs_size=16384, publicip=true
terraform -chdir=envs/<NAME>/tf init
terraform -chdir=envs/<NAME>/tf apply -auto-approve

# 2. Bootstrap (one curl)
ssh root@<ipv4> "curl -fsSL https://forge.ourworld.tf/lhumina_code/hero_skills/raw/branch/development/install/bootstrap.sh | bash"

# 3. Install services (one nu command)
ssh root@<ipv4> "su - driver -c 'source ~/hero/cfg/init.sh && service_install_all'"

# 4. (optional) Auth
ssh root@<ipv4> "HERO_AUTH_MODE=optional service_install_all --reconfigure"
# or HERO_AUTH_MODE=oauth + Google credentials, or HERO_AUTH_MODE=basic

# 5. (optional) Restore from snapshot
scp ~/heronu-backups/herodemo-backup-<ts>.tar.gz root@<ipv4>:/data/home/driver/
ssh root@<ipv4> "su - driver -c 'cd ~ && tar xzf herodemo-backup-*.tar.gz && hero_proc service restart-all'"

# 6. Verify
curl -s -o /dev/null -w '%{http_code}\n' https://<gw>.gent01.grid.tf/

Wall-clock target: 1.5 hours (apt + cargo build dominate).

Deferred — NOT Phase 2 (open issues, separate engineering)

These are real upstream code work, NOT codify-the-runbook tasks:

home#180 — hero_biz_ui Hero0Config refactor for OSIS per-domain split. Multi-day. Native Business island works as alternative.
home#173 (full unification) — unify ort crate version across hero_voice + hero_embedder so a single ONNX install suffices. Cross-repo, multi-day.
home#175 — OSIS admin UI aggregator (/api/services discovery). Design discussion needed.
home#176 — hero_books navbar fix (resolved by enabling island-books-native feature in the WASM build, not a code change to hero_books_ui).
home#184 — hero_books light-mode card contrast (same WASM-native enablement fix).
home#147 — Collab dark theme follow.
home#178 — at-click libreoffice PDF preview (orthogonal to OnlyOffice; libreoffice install via Tier 1 is the prerequisite).

These can be picked up by devops independently.

Process / quality gate

Per FIX_TRIAGE:

Each branch is L2 (PR for review) — not direct push
Before pushing: run cargo fmt --check && cargo clippy --workspace --all-targets -- -D warnings && cargo build --workspace --release (or the nu-shell equivalent verification for hero_skills modules)
Each PR closes its associated home issue(s) via the commit message
Verify on a fresh TF Grid VM before declaring tier complete (live demo on herodemo isn't sufficient — too much accumulated state)

Tracking

This issue is the master tracker. Sub-tasks above will be checked off as branches merge. Linked PRs will appear here automatically.

Once all three tiers ship, the runbook's §13 Category C goes empty and §14 Phase 2 gets a ✅ COMPLETE marker. Phase 3 (release artifacts so we don't cargo build per-deploy) becomes a separate conversation.

Signed-off-by: mik-tf

Previous comments from home#185

mik-tf — 2026-04-25T16:22:56Z

Phase 2 progress — most of Tier 1 + Tier 2 landed in one PR

Strategy adjustment: rather than 13 separate development_mik_* branches on hero_skills, the work was bundled into one squash-merged commit on hero_skills/development.

Landed: hero_skills/PR #126 → squash commit 7c823d1

Tier 1 — done (collapsed into 7c823d1)

apt deps (libreoffice + libssl-dev + python3 + sqlite3 + jq + wget) — split: dev-only deps in PR #125 1379cc0; libreoffice in 7c823d1
uv install — already covered by existing install_py (uses astral.sh/uv/install.sh)
Google Chrome .deb — install_chrome (closes #177)
ONNX Runtime 1.23.2 + 1.24.4 side-by-side — install_onnxruntime (closes #162; partial #173)
LibreOffice — wired into install_base (closes #178)
HERO_ROOTDIR env override — find_rootdir in install.sh (closes #164)

Tier 2 — done (collapsed into 7c823d1)

service_complete aggregator (install + register + start in dependency order) — packages.nu (closes #167)
embedder env vars (ORT_LIB_LOCATION, LD_LIBRARY_PATH, EMBEDDER_MODELS) — service_embedder.nu (closes #166 for embedder)
voice env vars (ORT_LIB_LOCATION, LD_LIBRARY_PATH, ORT_PREFER_DYNAMIC_LINK=1) — service_voice.nu (closes #166 for voice; #170 deploy-side; #173 deploy-side)
office OO_UPSTREAM_BASE forwarding — service_office.nu
Docker + btrfs storage driver + nohup fallback — install_docker_btrfs (closes #181)
OnlyOffice container module — new service_onlyoffice.nu (closes #174)

Tier 2 — still TODO (separate branches)

hero_skills/development_mik_basic_auth — optional nginx + htpasswd setup (#182 basic mode)
hero_proxy/development_mik_runbook_setup — proxy domain add ... --auth-mode <mode> driven by env (#182 canonical mode)

Tier 3 — still TODO

hero_demo/development_mik_seed_data — sample .vsdx/.pptx/.xlsx + libraries.txt (#183)

Issues closed today

#162, #164, #166, #167, #174, #177, #178, #181 — all resolved by 7c823d1.

#170 (voice ORT_PREFER_DYNAMIC_LINK) and #173 (full ort unification) left open — deploy-side is fixed but upstream ort crate work remains.

Validation

All changed nu modules load cleanly under nu -c "use ..." (parser-only — runtime validation needs a TF Grid VM).

Next sessions: basic-auth helper, hero_proxy runbook setup, seed data.

Signed-off-by: mik-tf

mik-tf — 2026-04-25T16:55:47Z

Phase 2 'what's left' — all 5 PRs opened

Five PRs ready for review covering the remaining what's left items from the boss-message snapshot. Each is independent — they can be reviewed and merged in any order.

PR	Repo	Closes	Summary
hero_skills #127	hero_skills	§4.4 (3 manual `action.set` invocations)	New `service_agent` module (was missing entirely from hero_skills); `service_biz` `HERO0_BASE_URL` env override; `service_router` env-driven `--address` + `--ui-port`
hero_skills #128	hero_skills	§6 WASM build	New `service_os wasm_build` export + `service_complete --wasm` flag — runs `make build-wasm` + `install-assets-release` and restarts hero_os
hero_skills #129	hero_skills	§12.1 (basic auth)	New `basic_auth_setup` helper (nginx + htpasswd) for the demo path
hero_skills #130	hero_skills	§12.2 (canonical auth)	New `proxy_auth_setup` helper — wraps `hero_proxy domain add --auth-mode oauth/bearer/optional` driven by env vars
hero_demo #1	hero_demo	§7 seed content	`data/seed/` with pandoc/openpyxl source inputs + `seed_install.sh` orchestrator that generates `.docx`/`.xlsx`/`.pdf` on the VM and copies into hero_foundry webdav

After all five land, the §0.1 Quick path becomes truly hot-fix-free for the happy path (basic-auth or hero_proxy auth picked per deploy). Validation on each PR is parser-only (nu -c "use ..." + bash/python AST) — runtime needs a TF Grid VM. Awaiting verification + green-light before squash-merging.

Signed-off-by: mik-tf

mik-tf — 2026-04-25T20:39:11Z

Phase 2 'what's left' — all 5 PRs merged ✅

All five squash-merged to development:

PR	Commit	What
hero_skills #127	`60375f4`	new `service_agent` + service_biz/service_router env wiring
hero_skills #128	`6d1f725`	`service_os wasm_build` + `service_complete --wasm`
hero_skills #129	`011dd83`	`basic_auth_setup` (demo nginx gate)
hero_skills #130	`f17e99c`	`proxy_auth_setup` (canonical hero_proxy auth)
hero_demo #1	`9318fd0`	`data/seed/` + `seed_install.sh`

Pre-merge audit caught 3 real bugs (AIBROKER URL scheme, stale :6666 port, cd cwd leak) — all fixed before merge.

Issues closed

#182 (auth — both deploy modes shipped), #183 (seed data).

New tracker filed

home#186 — finalize prod auth on hero_proxy and remove demo nginx helper. Operators currently choose between two auth paths; long-term we want exactly one.

What's left in Phase 2

home#168 — embedder build retry race (cosmetic, recoverable)
home#173 — ort crate version unification (multi-day cross-repo refactor; deploy-side workaround in place)
home#180 — hero_biz Hero0Config → OSIS per-domain refactor (multi-day; native Business island works as alternative)
home#186 — finalize prod auth (NEW)

The Quick path in DEPLOYMENT_NU_HERO_OS.md is now end-to-end nu commands (modulo §5 backup restore which only matters when migrating data). Runbook updated at f2444ad on hero_demo/development.

This issue stays open until the four remaining items resolve — keeps it as the umbrella tracker.

Signed-off-by: mik-tf

Originally filed as home#185 on 2026-04-25 by mik-tf — moved to hero_demo as part of consolidating issue tracking.

# Phase 2 — codify demo-VM hotfixes into upstream code (clean runbook, no manual steps) ## Goal Get the Hero OS nu-shell deploy to a state where **a fresh VM redeploys via the runbook in ~1.5 hours with no manual hotfix steps** — just terraform, bootstrap, install, optional auth, optional snapshot. Phase 1 (merge code-bearing PRs) is complete: - ✅ [hero_office #3](https://forge.ourworld.tf/lhumina_code/hero_office/pulls/3) (`2dbc543`) — OnlyOffice integration - ✅ [hero_agent #8](https://forge.ourworld.tf/lhumina_code/hero_agent/pulls/8) + [#9](https://forge.ourworld.tf/lhumina_code/hero_agent/pulls/9) (`5bea19b`) — MCP tool name sanitizer - ✅ [hero_os #91](https://forge.ourworld.tf/lhumina_code/hero_os/pulls/91) closed (review thread for already-merged Biz fix `000922b`) Runbook captured at [`hero_demo/docs/ops/DEPLOYMENT_NU_HERO_OS.md`](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/DEPLOYMENT_NU_HERO_OS.md). Method captured at [`hero_demo/docs/ops/FIX_TRIAGE.md`](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/FIX_TRIAGE.md). This issue tracks Phase 2 — converting the runbook's manual fixup sections (§4.5, §10, §11, §12) into upstream code in `hero_skills`, `hero_proxy`, and `hero_demo`. ## Tier 1 — small, mechanical (`hero_skills` bootstrap; ~1 day total, all parallel) Single-file changes to `hero_skills/install/` bootstrap or apt config. Each is independently mergeable. - [ ] **`hero_skills/development_mik_apt_deps`** — add `libclang-dev cmake python3 python3-openpyxl jq sqlite3` to bootstrap apt list. Closes [home#170](https://forge.ourworld.tf/lhumina_code/home/issues/170), [home#172](https://forge.ourworld.tf/lhumina_code/home/issues/172) - [ ] **`hero_skills/development_mik_uv_install`** — add `curl -LsSf https://astral.sh/uv/install.sh \| sh` for `uv` (used by `hero_code`'s `python_exec`). Closes [home#170](https://forge.ourworld.tf/lhumina_code/home/issues/170) - [ ] **`hero_skills/development_mik_chrome_install`** — Google Chrome `.deb` apt source (Ubuntu's `chromium-browser` is a snap wrapper that fails on TF Grid flists). Closes [home#177](https://forge.ourworld.tf/lhumina_code/home/issues/177) - [ ] **`hero_skills/development_mik_onnxruntime`** — wget+tar both ONNX runtimes: 1.23.2 → `/usr/local/onnxruntime/`, 1.24.x → `/usr/local/onnxruntime-1.24/`. Closes [home#162](https://forge.ourworld.tf/lhumina_code/home/issues/162), partially [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) - [ ] **`hero_skills/development_mik_libreoffice`** — `apt install libreoffice-core libreoffice-impress libreoffice-writer libreoffice-calc` (used for at-click PDF preview generation). Closes [home#178](https://forge.ourworld.tf/lhumina_code/home/issues/178) prerequisite - [ ] **`hero_skills/development_mik_init_sh_env`** — `install.sh` reads `HERO_ROOTDIR` env var and skips the interactive prompt when set. Closes [home#164](https://forge.ourworld.tf/lhumina_code/home/issues/164) After Tier 1: runbook §2 (Bootstrap the VM) collapses from 6 manual steps to one `bash bootstrap.sh` invocation. ## Tier 2 — medium, requires nu-shell module understanding (`hero_skills` services + `hero_proxy`; ~1.5 days, ordered) Touches the actual nu-shell service modules. Each has internal ordering dependencies (Docker before OnlyOffice; ONNX install before embedder/voice env). - [ ] **`hero_skills/development_mik_service_set_after_install`** — `service_install_all.nu` calls `service.set` for every action it registers, eliminating the `herodemo_set_services.py` workaround. Closes [home#167](https://forge.ourworld.tf/lhumina_code/home/issues/167) - [ ] **`hero_skills/development_mik_embedder_env`** — `service_embedder.nu` sets `ORT_LIB_LOCATION=/usr/local/onnxruntime/lib`, `LD_LIBRARY_PATH=/usr/local/onnxruntime/lib`, `EMBEDDER_MODELS=/data/home/driver/hero/var/embedder/models`. Closes [home#166](https://forge.ourworld.tf/lhumina_code/home/issues/166) - [ ] **`hero_skills/development_mik_voice_env`** — `service_voice.nu` sets `ORT_LIB_LOCATION=/usr/local/onnxruntime-1.24/lib`, `LD_LIBRARY_PATH=/usr/local/onnxruntime-1.24/lib`, `ORT_PREFER_DYNAMIC_LINK=1`. Closes [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) (deploy-side) - [ ] **`hero_skills/development_mik_office_env`** — `service_office.nu` sets `ONLYOFFICE_JWT_SECRET` (from generated secret or env), `OO_SERVER_URL` (templated from public hostname), `OO_UPSTREAM_BASE=http://10.1.2.2:8088`, `CONNECTOR_EXTERNAL_URL=http://10.1.2.2:9990`. Closes [home#174](https://forge.ourworld.tf/lhumina_code/home/issues/174) (deploy-side) - [ ] **`hero_skills/development_mik_docker_btrfs`** — bootstrap installs Docker, sets `/etc/docker/daemon.json` with `data-root: /data/docker` + `storage-driver: btrfs`, starts via `nohup dockerd` (no systemd on TF Grid). Closes [home#181](https://forge.ourworld.tf/lhumina_code/home/issues/181) - [ ] **`hero_skills/development_mik_onlyoffice_install`** — new `service_onlyoffice.nu` module: `docker pull onlyoffice/documentserver:latest`, `docker run -d` with JWT secret, registers a hero_proc supervisor entry. Depends on `development_mik_docker_btrfs`. Closes [home#174](https://forge.ourworld.tf/lhumina_code/home/issues/174) end-to-end - [ ] **`hero_skills/development_mik_basic_auth`** — optional nginx + htpasswd setup driven by `HERO_AUTH_MODE=basic` env var (and credentials via `HERO_AUTH_BASIC_USER`/`HERO_AUTH_BASIC_PASS`). Closes [home#182](https://forge.ourworld.tf/lhumina_code/home/issues/182) (basic mode) - [ ] **`hero_proxy/development_mik_runbook_setup`** — installer-side helper that runs `proxy domain add ... --auth-mode <mode>` based on `HERO_AUTH_MODE` env (oauth/optional/bearer). Closes [home#182](https://forge.ourworld.tf/lhumina_code/home/issues/182) (canonical mode) After Tier 2: runbook §4.5 (action env patches), §10 (Docker), §11 (OnlyOffice), §12 (auth) all become flags on the install pipeline. ## Tier 3 — content seeding (`hero_demo`; ~0.5 days) - [ ] **`hero_demo/development_mik_seed_data`** — commit sample files to `hero_demo/data/seed/{office,diagrams,books}/`: - 3 `.vsdx` from Apache POI (already on VM, ready to extract) - 5 `.pptx` (Geomind-themed, pandoc-generated) - 5 `.xlsx` (openpyxl-generated) - companion `.pdf` for each (libreoffice-generated) - `libraries.txt` for hero_books - install-time hook in `service_office.nu` / `service_books.nu` to `cp` into `webdav/<context>/` Closes [home#183](https://forge.ourworld.tf/lhumina_code/home/issues/183) After Tier 3: runbook §7 (Seed content) becomes "automatic at install time." ## After Tier 1 + 2 + 3 — the simplified runbook ```bash # 1. Provision (terraform) cd hero_demo/deploy/single-vm cp envs/herodemo/tf/credentials.auto.tfvars.example envs/<NAME>/tf/credentials.auto.tfvars # edit with node_id, gateway_node, cpu, memory, rootfs_size=16384, publicip=true terraform -chdir=envs/<NAME>/tf init terraform -chdir=envs/<NAME>/tf apply -auto-approve # 2. Bootstrap (one curl) ssh root@<ipv4> "curl -fsSL https://forge.ourworld.tf/lhumina_code/hero_skills/raw/branch/development/install/bootstrap.sh | bash" # 3. Install services (one nu command) ssh root@<ipv4> "su - driver -c 'source ~/hero/cfg/init.sh && service_install_all'" # 4. (optional) Auth ssh root@<ipv4> "HERO_AUTH_MODE=optional service_install_all --reconfigure" # or HERO_AUTH_MODE=oauth + Google credentials, or HERO_AUTH_MODE=basic # 5. (optional) Restore from snapshot scp ~/heronu-backups/herodemo-backup-<ts>.tar.gz root@<ipv4>:/data/home/driver/ ssh root@<ipv4> "su - driver -c 'cd ~ && tar xzf herodemo-backup-*.tar.gz && hero_proc service restart-all'" # 6. Verify curl -s -o /dev/null -w '%{http_code}\n' https://<gw>.gent01.grid.tf/ ``` **Wall-clock target: 1.5 hours** (apt + cargo build dominate). ## Deferred — NOT Phase 2 (open issues, separate engineering) These are real upstream code work, NOT codify-the-runbook tasks: - [home#180](https://forge.ourworld.tf/lhumina_code/home/issues/180) — `hero_biz_ui` `Hero0Config` refactor for OSIS per-domain split. Multi-day. Native Business island works as alternative. - [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) (full unification) — unify `ort` crate version across `hero_voice` + `hero_embedder` so a single ONNX install suffices. Cross-repo, multi-day. - [home#175](https://forge.ourworld.tf/lhumina_code/home/issues/175) — OSIS admin UI aggregator (`/api/services` discovery). Design discussion needed. - [home#176](https://forge.ourworld.tf/lhumina_code/home/issues/176) — hero_books navbar fix (resolved by enabling `island-books-native` feature in the WASM build, not a code change to hero_books_ui). - [home#184](https://forge.ourworld.tf/lhumina_code/home/issues/184) — hero_books light-mode card contrast (same WASM-native enablement fix). - [home#147](https://forge.ourworld.tf/lhumina_code/home/issues/147) — Collab dark theme follow. - [home#178](https://forge.ourworld.tf/lhumina_code/home/issues/178) — at-click libreoffice PDF preview (orthogonal to OnlyOffice; libreoffice install via Tier 1 is the prerequisite). These can be picked up by devops independently. ## Process / quality gate Per [FIX_TRIAGE](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/FIX_TRIAGE.md): - Each branch is L2 (PR for review) — not direct push - Before pushing: run `cargo fmt --check && cargo clippy --workspace --all-targets -- -D warnings && cargo build --workspace --release` (or the nu-shell equivalent verification for `hero_skills` modules) - Each PR closes its associated home issue(s) via the commit message - Verify on a **fresh** TF Grid VM before declaring tier complete (live demo on herodemo isn't sufficient — too much accumulated state) ## Tracking This issue is the master tracker. Sub-tasks above will be checked off as branches merge. Linked PRs will appear here automatically. Once all three tiers ship, the runbook's §13 Category C goes empty and §14 Phase 2 gets a ✅ COMPLETE marker. Phase 3 (release artifacts so we don't `cargo build` per-deploy) becomes a separate conversation. Signed-off-by: mik-tf --- ### Previous comments from home#185 #### mik-tf — 2026-04-25T16:22:56Z ## Phase 2 progress — most of Tier 1 + Tier 2 landed in one PR Strategy adjustment: rather than 13 separate `development_mik_*` branches on hero_skills, the work was bundled into one squash-merged commit on `hero_skills/development`. **Landed:** [hero_skills/PR #126](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/126) → squash commit [`7c823d1`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/7c823d1) ### Tier 1 — done (collapsed into 7c823d1) - [x] apt deps (libreoffice + libssl-dev + python3 + sqlite3 + jq + wget) — split: dev-only deps in [PR #125](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/125) `1379cc0`; libreoffice in `7c823d1` - [x] `uv` install — already covered by existing `install_py` (uses `astral.sh/uv/install.sh`) - [x] Google Chrome `.deb` — `install_chrome` (closes #177) - [x] ONNX Runtime 1.23.2 + 1.24.4 side-by-side — `install_onnxruntime` (closes #162; partial #173) - [x] LibreOffice — wired into `install_base` (closes #178) - [x] `HERO_ROOTDIR` env override — `find_rootdir` in `install.sh` (closes #164) ### Tier 2 — done (collapsed into 7c823d1) - [x] `service_complete` aggregator (install + register + start in dependency order) — `packages.nu` (closes #167) - [x] embedder env vars (`ORT_LIB_LOCATION`, `LD_LIBRARY_PATH`, `EMBEDDER_MODELS`) — `service_embedder.nu` (closes #166 for embedder) - [x] voice env vars (`ORT_LIB_LOCATION`, `LD_LIBRARY_PATH`, `ORT_PREFER_DYNAMIC_LINK=1`) — `service_voice.nu` (closes #166 for voice; #170 deploy-side; #173 deploy-side) - [x] office `OO_UPSTREAM_BASE` forwarding — `service_office.nu` - [x] Docker + btrfs storage driver + nohup fallback — `install_docker_btrfs` (closes #181) - [x] OnlyOffice container module — new `service_onlyoffice.nu` (closes #174) ### Tier 2 — still TODO (separate branches) - [ ] **`hero_skills/development_mik_basic_auth`** — optional nginx + htpasswd setup (#182 basic mode) - [ ] **`hero_proxy/development_mik_runbook_setup`** — `proxy domain add ... --auth-mode <mode>` driven by env (#182 canonical mode) ### Tier 3 — still TODO - [ ] **`hero_demo/development_mik_seed_data`** — sample .vsdx/.pptx/.xlsx + libraries.txt (#183) ### Issues closed today #162, #164, #166, #167, #174, #177, #178, #181 — all resolved by `7c823d1`. #170 (voice ORT_PREFER_DYNAMIC_LINK) and #173 (full ort unification) left **open** — deploy-side is fixed but upstream `ort` crate work remains. ### Validation All changed nu modules load cleanly under `nu -c "use ..."` (parser-only — runtime validation needs a TF Grid VM). Next sessions: basic-auth helper, hero_proxy runbook setup, seed data. Signed-off-by: mik-tf #### mik-tf — 2026-04-25T16:55:47Z ## Phase 2 'what's left' — all 5 PRs opened Five PRs ready for review covering the remaining `what's left` items from the boss-message snapshot. Each is independent — they can be reviewed and merged in any order. | PR | Repo | Closes | Summary | |----|------|--------|---------| | [hero_skills #127](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/127) | hero_skills | §4.4 (3 manual `action.set` invocations) | New `service_agent` module (was missing entirely from hero_skills); `service_biz` `HERO0_BASE_URL` env override; `service_router` env-driven `--address` + `--ui-port` | | [hero_skills #128](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/128) | hero_skills | §6 WASM build | New `service_os wasm_build` export + `service_complete --wasm` flag — runs `make build-wasm` + `install-assets-release` and restarts hero_os | | [hero_skills #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) | hero_skills | §12.1 (basic auth) | New `basic_auth_setup` helper (nginx + htpasswd) for the demo path | | [hero_skills #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130) | hero_skills | §12.2 (canonical auth) | New `proxy_auth_setup` helper — wraps `hero_proxy domain add --auth-mode oauth/bearer/optional` driven by env vars | | [hero_demo #1](https://forge.ourworld.tf/lhumina_code/hero_demo/pulls/1) | hero_demo | §7 seed content | `data/seed/` with pandoc/openpyxl source inputs + `seed_install.sh` orchestrator that generates `.docx`/`.xlsx`/`.pdf` on the VM and copies into hero_foundry webdav | After all five land, the §0.1 Quick path becomes truly hot-fix-free for the happy path (basic-auth or hero_proxy auth picked per deploy). Validation on each PR is parser-only (`nu -c "use ..."` + bash/python AST) — runtime needs a TF Grid VM. Awaiting verification + green-light before squash-merging. Signed-off-by: mik-tf #### mik-tf — 2026-04-25T20:39:11Z ## Phase 2 'what's left' — all 5 PRs merged ✅ All five squash-merged to `development`: | PR | Commit | What | |----|--------|------| | [hero_skills #127](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/127) | [`60375f4`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/60375f4) | new `service_agent` + service_biz/service_router env wiring | | [hero_skills #128](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/128) | [`6d1f725`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/6d1f725) | `service_os wasm_build` + `service_complete --wasm` | | [hero_skills #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) | [`011dd83`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/011dd83) | `basic_auth_setup` (demo nginx gate) | | [hero_skills #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130) | [`f17e99c`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/f17e99c) | `proxy_auth_setup` (canonical hero_proxy auth) | | [hero_demo #1](https://forge.ourworld.tf/lhumina_code/hero_demo/pulls/1) | [`9318fd0`](https://forge.ourworld.tf/lhumina_code/hero_demo/commit/9318fd0) | `data/seed/` + `seed_install.sh` | Pre-merge audit caught **3 real bugs** (AIBROKER URL scheme, stale `:6666` port, `cd` cwd leak) — all fixed before merge. ### Issues closed #182 (auth — both deploy modes shipped), #183 (seed data). ### New tracker filed [home#186](https://forge.ourworld.tf/lhumina_code/home/issues/186) — finalize prod auth on `hero_proxy` and remove demo nginx helper. Operators currently choose between two auth paths; long-term we want exactly one. ### What's left in Phase 2 - [home#168](https://forge.ourworld.tf/lhumina_code/home/issues/168) — embedder build retry race (cosmetic, recoverable) - [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) — `ort` crate version unification (multi-day cross-repo refactor; deploy-side workaround in place) - [home#180](https://forge.ourworld.tf/lhumina_code/home/issues/180) — `hero_biz` `Hero0Config` → OSIS per-domain refactor (multi-day; native Business island works as alternative) - [home#186](https://forge.ourworld.tf/lhumina_code/home/issues/186) — finalize prod auth (NEW) The Quick path in [DEPLOYMENT_NU_HERO_OS.md](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/DEPLOYMENT_NU_HERO_OS.md) is now end-to-end nu commands (modulo §5 backup restore which only matters when migrating data). Runbook updated at `f2444ad` on `hero_demo/development`. This issue stays open until the four remaining items resolve — keeps it as the umbrella tracker. Signed-off-by: mik-tf --- *Originally filed as [home#185](https://forge.ourworld.tf/lhumina_code/home/issues/185) on 2026-04-25 by mik-tf — moved to hero_demo as part of consolidating issue tracking.*

mik-tf referenced this issue from lhumina_code/home

2026-04-28 12:21:29 +00:00

[Phase 2] Codify demo-VM hotfixes into upstream code — clean runbook, no manual steps #185

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_demo#36

No description provided.

Rows
Columns

[Phase 2] Codify demo-VM hotfixes into upstream code — clean runbook, no manual steps #36

Phase 2 — codify demo-VM hotfixes into upstream code (clean runbook, no manual steps)

Goal

Tier 1 — small, mechanical (hero_skills bootstrap; ~1 day total, all parallel)

Tier 2 — medium, requires nu-shell module understanding (hero_skills services + hero_proxy; ~1.5 days, ordered)

Tier 3 — content seeding (hero_demo; ~0.5 days)

After Tier 1 + 2 + 3 — the simplified runbook

Deferred — NOT Phase 2 (open issues, separate engineering)

Process / quality gate

Tracking

Previous comments from home#185

mik-tf — 2026-04-25T16:22:56Z

Phase 2 progress — most of Tier 1 + Tier 2 landed in one PR

Tier 1 — done (collapsed into 7c823d1)

Tier 2 — done (collapsed into 7c823d1)

Tier 2 — still TODO (separate branches)

Tier 3 — still TODO

Issues closed today

Validation

mik-tf — 2026-04-25T16:55:47Z

Phase 2 'what's left' — all 5 PRs opened

mik-tf — 2026-04-25T20:39:11Z

Phase 2 'what's left' — all 5 PRs merged ✅

Issues closed

New tracker filed

What's left in Phase 2

Tier 1 — small, mechanical (`hero_skills` bootstrap; ~1 day total, all parallel)

Tier 2 — medium, requires nu-shell module understanding (`hero_skills` services + `hero_proxy`; ~1.5 days, ordered)

Tier 3 — content seeding (`hero_demo`; ~0.5 days)