fix(services): surface-fixes from heroci --download validation (lib.nu mycelium import + non-sudo setcap) #230

Merged

mik-tf merged 1 commit from development_mik_heroci_validation_fixes into development

2026-05-07 03:07:00 +00:00

mik-tf commented

2026-05-07 03:06:33 +00:00

Owner

Two latent bugs surfaced when the full mycelium → router stack came up on heroci via service_<name> start --download for the first time (session 73, 2026-05-07).

lib.nu — `svc_mycelium_ensure` calls `mycelium ensure` unresolved

svc_mycelium_ensure (lib.nu:1100) called mycelium ensure but lib.nu itself did not import ../clients/mycelium.nu. In Nu, command lookup happens in the defining module's scope, so even when a sibling service_*.nu imports the mycelium client, that import does NOT carry into svc_mycelium_ensure's body. service_router start blew up at Command 'mycelium' not found the first time it called svc_mycelium_ensure.

Fix: use ../clients/mycelium.nu * at the top of lib.nu so the resolution works for every caller.

service_mycelium.nu — `^sudo setcap` fails when sudo binary absent

session 73's session-merged PR #229 factored capability-setting into svx_apply_capability and unconditionally called ^sudo setcap. heroci runs as root with no sudo binary installed (single-user TF Grid container), so the call failed with Command 'sudo' not found.

Fix: branch on (^id -u | str trim) == "0" — when the caller is already root, call ^setcap directly; otherwise keep the existing ^sudo setcap path for ordinary multi-user installs.

Validation

Both fixes verified end-to-end on heroci: hero_proc + mycelium + hero_router all came up clean from --download artifacts after these landed (no source on disk, no FORGE_TOKEN at boot).

The remaining heroci 502 is unrelated — hero_router binds on 127.0.0.1:9988 (or []:9988 with --address) but the TF Grid name_proxy backend points at the public IPv4. Tracked at lhumina_code/home#227 for session 74 (DO from-nothing demo).

Signed-off-by: mik-tf

Two latent bugs surfaced when the full mycelium → router stack came up on heroci via `service_<name> start --download` for the first time (session 73, 2026-05-07). ## lib.nu — `svc_mycelium_ensure` calls `mycelium ensure` unresolved `svc_mycelium_ensure` (lib.nu:1100) called `mycelium ensure` but lib.nu itself did not import `../clients/mycelium.nu`. In Nu, command lookup happens in the *defining* module's scope, so even when a sibling service_*.nu imports the mycelium client, that import does NOT carry into svc_mycelium_ensure's body. `service_router start` blew up at `Command 'mycelium' not found` the first time it called `svc_mycelium_ensure`. Fix: `use ../clients/mycelium.nu *` at the top of lib.nu so the resolution works for every caller. ## service_mycelium.nu — `^sudo setcap` fails when sudo binary absent session 73's session-merged PR #229 factored capability-setting into `svx_apply_capability` and unconditionally called `^sudo setcap`. heroci runs as root with no sudo binary installed (single-user TF Grid container), so the call failed with `Command 'sudo' not found`. Fix: branch on `(^id -u | str trim) == "0"` — when the caller is already root, call `^setcap` directly; otherwise keep the existing `^sudo setcap` path for ordinary multi-user installs. ## Validation Both fixes verified end-to-end on heroci: hero_proc + mycelium + hero_router all came up clean from --download artifacts after these landed (no source on disk, no FORGE_TOKEN at boot). The remaining heroci 502 is unrelated — hero_router binds on 127.0.0.1:9988 (or [<mycelium>]:9988 with --address) but the TF Grid name_proxy backend points at the public IPv4. Tracked at https://forge.ourworld.tf/lhumina_code/home/issues/227 for session 74 (DO from-nothing demo). Signed-off-by: mik-tf

mik-tf added 1 commit

2026-05-07 03:06:33 +00:00

fix(services): surface-fixes from heroci --download validation

Build and Publish Skills / build-and-publish (pull_request) Successful in 3s

Details

bb27704420

Two latent bugs surfaced when the full mycelium → router stack came
up on heroci via `service_<name> start --download` for the first
time (session 73, 2026-05-07):

## lib.nu — `svc_mycelium_ensure` calls `mycelium ensure` unresolved

`svc_mycelium_ensure` (lib.nu line 1100) called `mycelium ensure` but
`lib.nu` itself did not import `../clients/mycelium.nu`. In Nu, command
lookup happens in the *defining* module's scope, so even when a
sibling service_*.nu imports the mycelium client, that import does
NOT carry into svc_mycelium_ensure's body. service_router blew up at
"Command `mycelium` not found" the first time it called
`svc_mycelium_ensure`.

Fix: add `use ../clients/mycelium.nu *` at the top of lib.nu so the
resolution works for every caller.

## service_mycelium.nu — `^sudo setcap` fails when sudo binary absent

`svx_apply_capability` unconditionally called `^sudo setcap`. heroci
runs as root with no sudo binary installed (single-user TF Grid
container), so the call failed with "Command `sudo` not found".

Fix: branch on `(^id -u | str trim) == "0"` — when the caller is
already root, call `^setcap` directly; otherwise keep the existing
`^sudo setcap` path for ordinary multi-user installs.

Both fixes verified end-to-end on heroci: hero_proc + mycelium +
hero_router all came up clean from --download artifacts after these
landed.

Note: heroci's public URL (https://heroci.gent01.grid.tf/) still
returns 502, but for a separate reason — hero_router binds on
127.0.0.1:9988 (or [<mycelium>]:9988 with --address) but the TF
Grid name_proxy backend points at the public IPv4. Tracked at
lhumina_code/home#227 for session
74 (DO from-nothing demo) — out of scope here.

Signed-off-by: mik-tf