lhumina_code/hero_skills
23
0
Fork 0
Code Issues 14 Pull requests 3 Projects Releases 1 Packages 1 Wiki Activity Actions

feat(skills): proxy_auth_setup helper for hero_proxy --auth-mode #130

Closed
mik-tf wants to merge 2 commits from development_mik_proxy_auth into development
pull from: development_mik_proxy_auth
merge into: lhumina_code:development
Conversation 1 Commits 2 Files changed 2 +163
mik-tf commented 2026-04-25 16:55:25 +00:00
Owner
Copy link

Closes deploy-side of home#182 canonical mode. Codifies §12.2 of DEPLOYMENT_NU_HERO_OS.md so the runbook's hero_proxy oauth set + hero_proxy domain add --auth-mode incantations are driven by env vars in env.sh.

The hero_proxy CLI already exposes everything we need (domain add --auth-mode oauth/bearer/optional + oauth set <name> <provider>), so this is purely a hero_skills wrapper — no hero_proxy code changes.

Module

New: tools/modules/installers/proxy_auth.nu
Re-exported from: tools/modules/installers/mod.nu

proxy_auth_setup [
    --mode <str>           # env HERO_AUTH_MODE — oauth/bearer/optional
    --hostname <str>       # env HERO_PUBLIC_HOSTNAME
    --socket-path <str>    # env HERO_PROXY_SOCKET (default ~/hero/var/sockets/hero_router/ui.sock)
    --oauth-provider <str> # env HERO_OAUTH_PROVIDER, default "google"
    --client-id <str>      # env <PROVIDER>_CLIENT_ID (or GOOGLE_CLIENT_ID legacy)
    --client-secret <str>  # env <PROVIDER>_CLIENT_SECRET
    --oauth-scopes <str>   # env HERO_OAUTH_SCOPES, default "openid email profile"
    --bearer-token <str>   # env HERO_BEARER_TOKEN — auto-gen if unset
]

Modes

  • optional — guest-first, login optional (good for evaluation demos)
  • bearer — single shared secret in Authorization header
  • oauth — Google (or other provider) redirect flow

Idempotent at the CLI level — hero_proxy domain add upserts on (hostname, mode); re-running with the same args is safe.

Companion

The basic-auth nginx variant for the demo path is at PR #129 (basic_auth_setup). Pick exactly one per deploy.

Validation

Parses under nu -c "use tools/modules/installers *". Runtime test requires hero_proxy + a running domain + DNS.

Tracker

home#185.

Signed-off-by: mik-tf

Closes deploy-side of [home#182](https://forge.ourworld.tf/lhumina_code/home/issues/182) canonical mode. Codifies §12.2 of [DEPLOYMENT_NU_HERO_OS.md](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/DEPLOYMENT_NU_HERO_OS.md) so the runbook's `hero_proxy oauth set` + `hero_proxy domain add --auth-mode` incantations are driven by env vars in `env.sh`. The `hero_proxy` CLI already exposes everything we need (`domain add --auth-mode oauth/bearer/optional` + `oauth set <name> <provider>`), so this is purely a hero_skills wrapper — **no hero_proxy code changes**. ## Module New: `tools/modules/installers/proxy_auth.nu` Re-exported from: `tools/modules/installers/mod.nu` ```nu proxy_auth_setup [ --mode <str> # env HERO_AUTH_MODE — oauth/bearer/optional --hostname <str> # env HERO_PUBLIC_HOSTNAME --socket-path <str> # env HERO_PROXY_SOCKET (default ~/hero/var/sockets/hero_router/ui.sock) --oauth-provider <str> # env HERO_OAUTH_PROVIDER, default "google" --client-id <str> # env <PROVIDER>_CLIENT_ID (or GOOGLE_CLIENT_ID legacy) --client-secret <str> # env <PROVIDER>_CLIENT_SECRET --oauth-scopes <str> # env HERO_OAUTH_SCOPES, default "openid email profile" --bearer-token <str> # env HERO_BEARER_TOKEN — auto-gen if unset ] ``` ## Modes - `optional` — guest-first, login optional (good for evaluation demos) - `bearer` — single shared secret in `Authorization` header - `oauth` — Google (or other provider) redirect flow Idempotent at the CLI level — `hero_proxy domain add` upserts on (hostname, mode); re-running with the same args is safe. ## Companion The basic-auth nginx variant for the demo path is at [PR #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) (`basic_auth_setup`). Pick exactly one per deploy. ## Validation Parses under `nu -c "use tools/modules/installers *"`. Runtime test requires hero_proxy + a running domain + DNS. ## Tracker [home#185](https://forge.ourworld.tf/lhumina_code/home/issues/185). Signed-off-by: mik-tf
Closes deploy-side of lhumina_code/home#182
canonical mode.  Codifies §12.2 of DEPLOYMENT_NU_HERO_OS.md so the
runbook's `hero_proxy oauth set` + `hero_proxy domain add --auth-mode`
incantations are driven by env vars in env.sh.

The hero_proxy CLI already exposes everything we need
(domain add --auth-mode oauth/bearer + oauth set <name> <provider>),
so this is purely a hero_skills wrapper — no hero_proxy code changes.

Module: tools/modules/installers/proxy_auth.nu
Public API: tools/modules/installers/mod.nu re-exports proxy_auth_setup.

Modes:
  optional — guest-first, login optional (good for evaluation demos)
  bearer   — single shared secret in Authorization header
  oauth    — Google (or other provider) redirect flow

Resolution order matches the rest of the installer family:
  --flag → HERO_AUTH_MODE / HERO_PUBLIC_HOSTNAME / etc env → error

OAuth credentials look up <PROVIDER>_CLIENT_ID / _CLIENT_SECRET first,
then fall back to GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET (the legacy
canonical names).  Bearer auto-generates HERO_BEARER_TOKEN when unset
and prints it once (operator must save it to env.sh).

Idempotent at the CLI level — `hero_proxy domain add` upserts on
(hostname, mode); re-running with the same args is safe.

Companion to #129
(basic_auth_setup, the demo nginx variant).  Pick exactly one per deploy.

Validation: parses under `nu -c "use tools/modules/installers *"`.
Runtime test requires hero_proxy + a running domain + DNS.

Tracker: lhumina_code/home#185

Signed-off-by: mik-tf
Cosmetic — the literal-paren typo in the OAuth credential error messages
rendered as e.g. 'GOOGLE)_CLIENT_ID' (extra paren).  Hoisted the upcase
into a let binding for readability and removed the typo.
mik-tf closed this pull request 2026-04-25 20:34:40 +00:00
mik-tf commented 2026-04-25 20:35:14 +00:00
Author
Owner
Copy link

Squash-merged to development as f17e99c. Branch deleted.

Squash-merged to `development` as [`f17e99c`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/f17e99c). Branch deleted.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_skills!130
No description provided.