chore: merge development into main for v0.1.0 release #12

Merged

mahmoud merged 34 commits from development into main 2026-04-08 07:38:12 +00:00

Conversation 0 Commits 34 Files changed 143 +33800 -1892

mahmoud commented 2026-04-08 07:36:47 +00:00

Owner

Copy link

First release with CI workflows, clippy fixes, and musl static binaries.

First release with CI workflows, clippy fixes, and musl static binaries.

mahmoud added 34 commits 2026-04-08 07:36:47 +00:00

feat: refactor proxy server into modular architecture with auth, config, proxy, and tls modules ... 7018ce6f08

Restructure hero_proxy_server into separate modules for authentication,
configuration, proxy handling, and TLS support. Update dependencies and
UI admin interface. Extend SDK and OpenRPC spec.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

chore: update Cargo.lock with dependency version bumps ... b3ce58f835

Bump clap 4.5->4.6, hero_proc 0.4.0->0.4.1, hero_rpc, aws-lc-rs,
tracing-subscriber, and various windows-sys/targets crates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: install ring as default rustls crypto provider ... eb8f2e1c6d

Switch axum-server TLS feature from tls-rustls to tls-rustls-no-provider
and explicitly install ring as the default crypto provider at startup.
This fixes TLS initialization when no default provider is set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

proxy fixes 9ddea721df

feat: add connection status indicator (#70) ... b28208e85b

- Add clickable status dot with Bootstrap popover
- Shows UI Server + Backend health breakdown
- Polls /health every 5 seconds with retry logic

Signed-off-by: mik-tf

Update Cargo.lock with updated dependency sources and new dependencies ... ec159ab033

- hero_proc dependency now points to forge.ourworld.tf git source at development branch
- Updated hero_rpc crate dependencies (added hero_rpc_derive, hero_rpc_openrpc)
- Added axum-server, rcgen, rustls, rustls-acme dependencies to hero_proxy
- Removed hero_proxy_sdk dependency, replaced with hero_rpc_derive and hero_rpc_openrpc

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: redirect root to default service when HERO_PROXY_DEFAULT_SERVICE is set (#70) ... 89a823b320

Signed-off-by: mik-tf

feat: improve socket routing and add HTML 404 page for unknown services ... af864f7e24

- config.rs: extend socket lookup to map `_server`-suffixed paths to their
  `_ui` counterpart (e.g. `/hero_inspector_server/` → `hero_inspector_ui.sock`),
  add `_server` exact-match as final fallback, update doc comments and tests
- proxy.rs: replace bare NOT_FOUND status errors with a Bootstrap-styled HTML
  404 page that lists sockets whose names start with the requested prefix,
  helping users discover available services
- Cargo.toml / Cargo.lock: add `tempfile = "3"` as a dev-dependency to support
  the new socket-lookup unit tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

migrate to new CLI pattern: hero_proxy owns --start/--stop lifecycle ... 05fe70362f

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cargo update: sync dependencies to latest versions 4a4864f367

Add weblib crate, OAuth/DB/domain modules, expand OpenRPC spec and CI workflow ... d719feac80

- Introduce crates/weblib: shared library providing security (ACME, cert, crypto),
  proxy forwarding, DNS, auth (session, email, login templates), SQLite DB models,
  request logging, visitor tracking, and RPC spec utilities
- Add db.rs, domain.rs, oauth.rs modules to hero_proxy_server for SQLite-backed
  route/TLS/OAuth/DNS management and in-memory OAuth CSRF state store
- Refactor main.rs: delegate ACME and crypto-provider setup to weblib, add Unix
  socket permission hardening, integrate new modules
- Refactor proxy.rs: add ProxyDb and OAuthStateStore to AppState, delegate
  Unix-socket forwarding to weblib::proxy::forward
- Slim tls.rs: heavy TLS work delegated to weblib; retain env-var parsing and
  HTTP redirect helper
- Expand openrpc.json with DNS, TLS, OAuth, settings and domain management methods
- Add .forgejo/workflows/ci.yaml for Forgejo CI pipeline
- Add README.md and integration test scaffolding for hero_proxy_examples
- Update Cargo workspace: add weblib member and new dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add data_dir field to HeroPaths for SQLite database storage ... f8e133d046

Extend HeroPaths with a data_dir (hero_dir/var/db) to provide a
well-known location for SQLite databases used by db.rs and other
persistence layers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(proxy): add runtime listener management and fix OpenRPC alignment ... b100394239

Add listener.list/add/remove/status OpenRPC methods for runtime interface
attachment (IPv4/IPv6). Fix response key mismatches between OpenRPC spec
and implementation. Add Listeners tab to admin UI, update SDK client.

#6

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(tunnel): add SSH remote port forwarding via russh ... f2a7f9699f

Implement managed reverse SSH tunnels configurable over UDS OpenRPC.
Adds tunnel.list/get/add/update/remove/start/stop/status RPC methods,
SQLite persistence, auto-reconnect with exponential backoff, and an
admin UI "Tunnels" tab.

#7

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(ui): implement hero_web_prefix pattern for reverse proxy base path support ... 39a46c623c

- admin.rs: read X-Forwarded-Prefix header and inject base_path into HTML template
- admin.html: replace all asset/API paths with {{ base_path }} template variable,
  add <meta name="base-path"> for JS consumption, use status-dot/status-label
  connection widget pattern
- dashboard.js: use BASE constant from meta tag for all fetch/rpc calls,
  integrate startConnectionStatusPoller() from connection-status.js
- dashboard.css: add 3-state status-dot system (connected/backend-down/disconnected)
- proxy.rs: inject X-Forwarded-Prefix header for path-prefix routing
- Embed static assets (CSS, JS, fonts, favicon) via rust-embed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(ui): add connection-status.js for 3-state connection widget ... 1d480512aa

Copy from hero_proc_ui — no changes needed, the poller is reusable
as-is across all Hero admin dashboards.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Remove DNS CRUD and default TCP listeners; add integration test crate and UI asset script ... b5a48bdc56

- Remove dns.* RPC handlers, DnsRecordRow struct, dns_records DB table, and
  dns.* entries from openrpc.json (DNS management moved out of scope)
- Remove default HTTP/HTTPS listener seeding (9997/9996); TCP listeners are
  now opt-in via admin UI or OpenRPC API
- Remove HTTP_PORT/HTTPS_PORT constants from lib.rs
- Add rust-embed dependency for asset embedding
- Add hero_proxy_tests integration test crate
- Add crates/hero_proxy_ui/scripts/download-assets.sh
- Update Makefile: clarify run output, add clippy alias, update .PHONY
- Update README: document new API groups, SSH tunnel feature, hero_proxy_tests
- Remove stale .claude/worktrees agent submodule references

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

improve UI table layout and status badge styling ... 651cf54f6b

- Wrap all data tables in .tab-table-wrap divs for scrollable overflow
- Replace plain status text with colored state-badge pill components
- Add state-badge CSS classes with pulsing indicator for ok/error/warn/off states
- Show only socket filename (not full path) in services table with full path as tooltip
- Fix app-content overflow to use hidden+min-height-0 for proper flex scroll
- Set no-cache on static asset responses to ensure browsers pick up updates
- Bump asset query string versions (?v=2) to bust cached CSS/JS

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add sparkline charts to admin sidebar widgets using Chart.js ... fb4506c4de

Integrates Chart.umd.min.js and adds real-time sparkline history tracking
for services (health %), active listeners, and active tunnels in the admin
dashboard sidebar. Bumps dashboard.css and dashboard.js cache-bust versions
to v3, and restructures the Listeners/Tunnels widgets to show a prominent
active count with unit label alongside the spark canvas.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Enhance stats/admin UI with TLS card, chart panels, improved styling ... 82af83024a

- Add TLS stats card (shield-lock icon, tls.list RPC) to stats page
- Add Service Health and Active Connections chart panels below stats cards
- Refactor stats cards to use CSS modifier classes for per-card icon colors
- Add two-column stats-charts-row layout with Chart.js line charts (renderStatsChart)
- Redesign admin page: larger header, card-styled sections, icon backgrounds
- Improve admin button cards with colored icon backgrounds and hover effects
- Add toast, confirm-modal, scrollbar, JSON syntax highlight, and responsive CSS
- Bump dashboard.css and dashboard.js cache busters to v4

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Wire auth_mode enforcement into domain route dispatch (issue #8) ... a4aa070a21

Enforce auth_mode on domain routes for all modes: none, bearer, oauth,
and new secp256k1 signature verification. Strip incoming X-Proxy-*
headers to prevent spoofing and inject verified identity headers
(X-Proxy-Auth-Method, X-Proxy-User-Email, X-Proxy-User-Pubkey) so
backends know who the authenticated user is. Add /oauth/callback
endpoint for OAuth2 authorization code exchange.

- Add k256, sha2, hex dependencies for secp256k1 ECDSA
- Add allowed_pubkeys field to DomainRoute schema + DB migration
- Create signature.rs verification module with replay window
- Wire auth enforcement in dispatch_domain_route() for 4 modes
- Add /oauth/callback route and handler
- Update OpenRPC spec with signature auth_mode and allowed_pubkeys

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Update build configuration and dependencies 8c6e393481

Add Rhai scripts for lifecycle management, update Makefile ... 29ca7956b4

Rhai scripts in scripts/rhai/ replace Makefile bash/binary patterns:
- build, install, run, stop, restart, status, test, clean
- Uses rust_builder() for native builds, proc_client() for hero_proc
- Makefile is now a thin wrapper calling hero_do scripts/rhai/*.rhai

Usage: hero_do scripts/rhai/run.rhai  (or: make run)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

refactor: use hero_lib_rhai tools in Rhai scripts ... 73792b7b5f

- hero_init() instead of env_get("HOME") + path concatenation
- proc_process_action() + action_set() + service_register() instead of
  quick_service_set_full() per-binary
- Service model: hero_proxy service groups hero_proxy_server + hero_proxy_ui
- Legacy quick_service cleanup in stop/restart for migration path

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: migrate from Rhai scripts to direct CLI pattern and use restart_service ... 462d5f3559

- Remove scripts/rhai/ directory (8 Rhai scripts replaced by direct make targets)
- Makefile run/stop/install/build/clean/test targets now use cargo + hero_proxy --start/--stop directly
- Fix hero_proxy main.rs to call lifecycle::restart_service() instead of start_service()
- Update hero_proc_sdk dependency to get restart_service() support (b09af39 -> 6056c4d5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor: migrate CLI to hero_proc_factory() API and update hero_proc_sdk ... b3da6f886b

- Replace manual socket path check + lifecycle::restart_service/stop_service
  with the modern hero_proc_factory() factory pattern (hp.restart_service,
  hp.stop_service) as required by the current hero_proc_sdk
- Remove now-unused hero_proc_sdk::{lifecycle, socket} imports
- Add explicit HeroProcFactory type annotation to satisfy type inference
- Update Cargo.lock to pick up latest hero_proc_sdk development commit (e57c5fd4)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(authz): implement group/user management and claims-based authorization ... e40aa877c3

Add complete group-based authorization system: users, groups, roles, claims,
nested group membership with cycle prevention, X-Hero-User/X-Hero-Claims
header injection after auth, full JSON-RPC API, admin UI tabs, and audit log.

#10

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(authz): add network-based group and user recognition (CIDR ranges) ... 944f6bfacf

Groups and users can now have IPv4/IPv6 CIDR network ranges. When a request
arrives from a matching IP, the group is auto-included in claim resolution
(auto_accept) or the user is auto-authenticated without explicit login.
IP extracted from X-Real-IP / X-Forwarded-For; client-spoofed headers stripped.

#10

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(ui): services default-disabled, multi-select, modalities, right-click menu ... 5abba6a145

#11

fix: migrate to Hero Unix socket strategy with per-service subdirectories ... 13f3f6d77f

- Read HERO_SOCKET_DIR env var (default ~/hero/var/sockets) for all socket paths
- hero_proxy_server now binds rpc.sock at $HERO_SOCKET_DIR/hero_proxy_server/rpc.sock
- hero_proxy_ui now binds ui.sock at $HERO_SOCKET_DIR/hero_proxy_ui/ui.sock
- Create per-service subdirectory with create_dir_all before binding any socket
- Remove stale .sock file before binding (already done, now in correct path)
- Update HeroPaths::from_env() to respect HERO_SOCKET_DIR independently of HERO_DIR
- Add find_socket_for() support for new per-service subdirectory layout with legacy fallback
- Update SDK default_socket_path() to use new hero_proxy_server/rpc.sock path
- Update CLI hero_proxy kill_other and health_check socket paths
- Update remote_tunnel example to use new per-service socket layout
- Inject X-Hero-Context: 0 header on all proxied requests (default admin context)
- openrpc_proxy! macro updated to connect to hero_proxy_server/rpc.sock

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor: remove openrpc_proxy from UI — hero_router handles RPC routing ... 21781a3eb3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Fix hero_sockets compliance: use hero_proxy/ as service socket directory ... 3ac9d8ef03

- Rename all socket directory references from hero_proxy_server/ and
  hero_proxy_ui/ to hero_proxy/ to comply with the hero_sockets convention
  (service name, not binary name, is used for the socket directory)
- Fix well-known discovery manifests: use correct service name "hero_proxy",
  protocol "ui" for the UI socket, and add missing "socket" field
- Update hero_proxy_sdk default_socket_path() to match new layout
- Add service/context filtering to role-based claim resolution (authz)
- Update admin dashboard UI and dashboard.js with latest improvements
- Run cargo update to pull latest dependency versions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor: Simplify code and improve consistency ... b5b9e512a7

- Remove unnecessary `clone` calls
- Update several `unwrap` calls to use `?` operator
- Improve handling of string parsing and optional values
- Ensure consistent usage of `anyhow::anyhow!` for error reporting
- Refine closure usage for better readability
- Use `split` with an array of chars for more flexibility
- Update `match` statements for more concise error handling
- Add `#[allow(dead_code)]` for unused fields
- Consistently use `format!` for string construction
- Simplify nested `if let` statements

fix: resolve clippy warnings and add release workflow ... b98b70ad11

- Fix all clippy warnings (collapsible_if, manual_range_contains,
  derivable_impls, needless_question_mark, etc.)
- Add release.yaml workflow for tag-triggered releases with musl binaries
- Update ci.yaml to use builder container instead of ubuntu-latest
- CI now produces musl static binaries matching production

mahmoud merged commit 36825000af into main 2026-04-08 07:38:12 +00:00

mahmoud referenced this pull request from a commit 2026-04-08 07:38:13 +00:00

Merge pull request 'chore: merge development into main for v0.1.0 release' (#12) from development into main

mahmoud referenced this pull request 2026-04-08 07:39:58 +00:00

Merge pull request 'chore: merge development into main for v0.1.0 release' (#12) from development into main #13

mahmoud referenced this pull request from a commit 2026-04-08 07:41:04 +00:00

Merge pull request 'Merge pull request 'chore: merge development into main for v0.1.0 release' (#12) from development into main' (#13) from main into development

mahmoud referenced this pull request 2026-04-08 07:41:17 +00:00

Merge pull request 'Merge pull request 'chore: merge development into main for v0.1.0 release' (#12) from development into main' (#13) from main into development #14

mahmoud referenced this pull request from a commit 2026-04-08 07:41:23 +00:00

Merge pull request 'Merge pull request 'Merge pull request 'chore: merge development into main for v0.1.0 release' (#12) from development into main' (#13) from main into development' (#14) from development into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_proxy!12

No description provided.