lhumina_code/home
23
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

[Phase 2] Codify demo-VM hotfixes into upstream code — clean runbook, no manual steps #185

New issue
Closed
opened 2026-04-25 15:43:33 +00:00 by mik-tf · 4 comments
mik-tf commented 2026-04-25 15:43:33 +00:00
Owner
Copy link

Phase 2 — codify demo-VM hotfixes into upstream code (clean runbook, no manual steps)

Goal

Get the Hero OS nu-shell deploy to a state where a fresh VM redeploys via the runbook in ~1.5 hours with no manual hotfix steps — just terraform, bootstrap, install, optional auth, optional snapshot.

Phase 1 (merge code-bearing PRs) is complete:

Runbook captured at hero_demo/docs/ops/DEPLOYMENT_NU_HERO_OS.md. Method captured at hero_demo/docs/ops/FIX_TRIAGE.md.

This issue tracks Phase 2 — converting the runbook's manual fixup sections (§4.5, §10, §11, §12) into upstream code in hero_skills, hero_proxy, and hero_demo.

Tier 1 — small, mechanical (hero_skills bootstrap; ~1 day total, all parallel)

Single-file changes to hero_skills/install/ bootstrap or apt config. Each is independently mergeable.

  • hero_skills/development_mik_apt_deps — add libclang-dev cmake python3 python3-openpyxl jq sqlite3 to bootstrap apt list. Closes home#170, home#172
  • hero_skills/development_mik_uv_install — add curl -LsSf https://astral.sh/uv/install.sh \| sh for uv (used by hero_code's python_exec). Closes home#170
  • hero_skills/development_mik_chrome_install — Google Chrome .deb apt source (Ubuntu's chromium-browser is a snap wrapper that fails on TF Grid flists). Closes home#177
  • hero_skills/development_mik_onnxruntime — wget+tar both ONNX runtimes: 1.23.2 → /usr/local/onnxruntime/, 1.24.x → /usr/local/onnxruntime-1.24/. Closes home#162, partially home#173
  • hero_skills/development_mik_libreofficeapt install libreoffice-core libreoffice-impress libreoffice-writer libreoffice-calc (used for at-click PDF preview generation). Closes home#178 prerequisite
  • hero_skills/development_mik_init_sh_envinstall.sh reads HERO_ROOTDIR env var and skips the interactive prompt when set. Closes home#164

After Tier 1: runbook §2 (Bootstrap the VM) collapses from 6 manual steps to one bash bootstrap.sh invocation.

Tier 2 — medium, requires nu-shell module understanding (hero_skills services + hero_proxy; ~1.5 days, ordered)

Touches the actual nu-shell service modules. Each has internal ordering dependencies (Docker before OnlyOffice; ONNX install before embedder/voice env).

  • hero_skills/development_mik_service_set_after_installservice_install_all.nu calls service.set for every action it registers, eliminating the herodemo_set_services.py workaround. Closes home#167
  • hero_skills/development_mik_embedder_envservice_embedder.nu sets ORT_LIB_LOCATION=/usr/local/onnxruntime/lib, LD_LIBRARY_PATH=/usr/local/onnxruntime/lib, EMBEDDER_MODELS=/data/home/driver/hero/var/embedder/models. Closes home#166
  • hero_skills/development_mik_voice_envservice_voice.nu sets ORT_LIB_LOCATION=/usr/local/onnxruntime-1.24/lib, LD_LIBRARY_PATH=/usr/local/onnxruntime-1.24/lib, ORT_PREFER_DYNAMIC_LINK=1. Closes home#173 (deploy-side)
  • hero_skills/development_mik_office_envservice_office.nu sets ONLYOFFICE_JWT_SECRET (from generated secret or env), OO_SERVER_URL (templated from public hostname), OO_UPSTREAM_BASE=http://10.1.2.2:8088, CONNECTOR_EXTERNAL_URL=http://10.1.2.2:9990. Closes home#174 (deploy-side)
  • hero_skills/development_mik_docker_btrfs — bootstrap installs Docker, sets /etc/docker/daemon.json with data-root: /data/docker + storage-driver: btrfs, starts via nohup dockerd (no systemd on TF Grid). Closes home#181
  • hero_skills/development_mik_onlyoffice_install — new service_onlyoffice.nu module: docker pull onlyoffice/documentserver:latest, docker run -d with JWT secret, registers a hero_proc supervisor entry. Depends on development_mik_docker_btrfs. Closes home#174 end-to-end
  • hero_skills/development_mik_basic_auth — optional nginx + htpasswd setup driven by HERO_AUTH_MODE=basic env var (and credentials via HERO_AUTH_BASIC_USER/HERO_AUTH_BASIC_PASS). Closes home#182 (basic mode)
  • hero_proxy/development_mik_runbook_setup — installer-side helper that runs proxy domain add ... --auth-mode <mode> based on HERO_AUTH_MODE env (oauth/optional/bearer). Closes home#182 (canonical mode)

After Tier 2: runbook §4.5 (action env patches), §10 (Docker), §11 (OnlyOffice), §12 (auth) all become flags on the install pipeline.

Tier 3 — content seeding (hero_demo; ~0.5 days)

  • hero_demo/development_mik_seed_data — commit sample files to hero_demo/data/seed/{office,diagrams,books}/:

    • 3 .vsdx from Apache POI (already on VM, ready to extract)
    • 5 .pptx (Geomind-themed, pandoc-generated)
    • 5 .xlsx (openpyxl-generated)
    • companion .pdf for each (libreoffice-generated)
    • libraries.txt for hero_books
    • install-time hook in service_office.nu / service_books.nu to cp into webdav/<context>/

    Closes home#183

After Tier 3: runbook §7 (Seed content) becomes "automatic at install time."

After Tier 1 + 2 + 3 — the simplified runbook

# 1. Provision (terraform)
cd hero_demo/deploy/single-vm
cp envs/herodemo/tf/credentials.auto.tfvars.example envs/<NAME>/tf/credentials.auto.tfvars
# edit with node_id, gateway_node, cpu, memory, rootfs_size=16384, publicip=true
terraform -chdir=envs/<NAME>/tf init
terraform -chdir=envs/<NAME>/tf apply -auto-approve

# 2. Bootstrap (one curl)
ssh root@<ipv4> "curl -fsSL https://forge.ourworld.tf/lhumina_code/hero_skills/raw/branch/development/install/bootstrap.sh | bash"

# 3. Install services (one nu command)
ssh root@<ipv4> "su - driver -c 'source ~/hero/cfg/init.sh && service_install_all'"

# 4. (optional) Auth
ssh root@<ipv4> "HERO_AUTH_MODE=optional service_install_all --reconfigure"
# or HERO_AUTH_MODE=oauth + Google credentials, or HERO_AUTH_MODE=basic

# 5. (optional) Restore from snapshot
scp ~/heronu-backups/herodemo-backup-<ts>.tar.gz root@<ipv4>:/data/home/driver/
ssh root@<ipv4> "su - driver -c 'cd ~ && tar xzf herodemo-backup-*.tar.gz && hero_proc service restart-all'"

# 6. Verify
curl -s -o /dev/null -w '%{http_code}\n' https://<gw>.gent01.grid.tf/

Wall-clock target: 1.5 hours (apt + cargo build dominate).

Deferred — NOT Phase 2 (open issues, separate engineering)

These are real upstream code work, NOT codify-the-runbook tasks:

  • home#180hero_biz_ui Hero0Config refactor for OSIS per-domain split. Multi-day. Native Business island works as alternative.
  • home#173 (full unification) — unify ort crate version across hero_voice + hero_embedder so a single ONNX install suffices. Cross-repo, multi-day.
  • home#175 — OSIS admin UI aggregator (/api/services discovery). Design discussion needed.
  • home#176 — hero_books navbar fix (resolved by enabling island-books-native feature in the WASM build, not a code change to hero_books_ui).
  • home#184 — hero_books light-mode card contrast (same WASM-native enablement fix).
  • home#147 — Collab dark theme follow.
  • home#178 — at-click libreoffice PDF preview (orthogonal to OnlyOffice; libreoffice install via Tier 1 is the prerequisite).

These can be picked up by devops independently.

Process / quality gate

Per FIX_TRIAGE:

  • Each branch is L2 (PR for review) — not direct push
  • Before pushing: run cargo fmt --check && cargo clippy --workspace --all-targets -- -D warnings && cargo build --workspace --release (or the nu-shell equivalent verification for hero_skills modules)
  • Each PR closes its associated home issue(s) via the commit message
  • Verify on a fresh TF Grid VM before declaring tier complete (live demo on herodemo isn't sufficient — too much accumulated state)

Tracking

This issue is the master tracker. Sub-tasks above will be checked off as branches merge. Linked PRs will appear here automatically.

Once all three tiers ship, the runbook's §13 Category C goes empty and §14 Phase 2 gets a COMPLETE marker. Phase 3 (release artifacts so we don't cargo build per-deploy) becomes a separate conversation.

Signed-off-by: mik-tf

# Phase 2 — codify demo-VM hotfixes into upstream code (clean runbook, no manual steps) ## Goal Get the Hero OS nu-shell deploy to a state where **a fresh VM redeploys via the runbook in ~1.5 hours with no manual hotfix steps** — just terraform, bootstrap, install, optional auth, optional snapshot. Phase 1 (merge code-bearing PRs) is complete: - ✅ [hero_office #3](https://forge.ourworld.tf/lhumina_code/hero_office/pulls/3) (`2dbc543`) — OnlyOffice integration - ✅ [hero_agent #8](https://forge.ourworld.tf/lhumina_code/hero_agent/pulls/8) + [#9](https://forge.ourworld.tf/lhumina_code/hero_agent/pulls/9) (`5bea19b`) — MCP tool name sanitizer - ✅ [hero_os #91](https://forge.ourworld.tf/lhumina_code/hero_os/pulls/91) closed (review thread for already-merged Biz fix `000922b`) Runbook captured at [`hero_demo/docs/ops/DEPLOYMENT_NU_HERO_OS.md`](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/DEPLOYMENT_NU_HERO_OS.md). Method captured at [`hero_demo/docs/ops/FIX_TRIAGE.md`](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/FIX_TRIAGE.md). This issue tracks Phase 2 — converting the runbook's manual fixup sections (§4.5, §10, §11, §12) into upstream code in `hero_skills`, `hero_proxy`, and `hero_demo`. ## Tier 1 — small, mechanical (`hero_skills` bootstrap; ~1 day total, all parallel) Single-file changes to `hero_skills/install/` bootstrap or apt config. Each is independently mergeable. - [ ] **`hero_skills/development_mik_apt_deps`** — add `libclang-dev cmake python3 python3-openpyxl jq sqlite3` to bootstrap apt list. Closes [home#170](https://forge.ourworld.tf/lhumina_code/home/issues/170), [home#172](https://forge.ourworld.tf/lhumina_code/home/issues/172) - [ ] **`hero_skills/development_mik_uv_install`** — add `curl -LsSf https://astral.sh/uv/install.sh \| sh` for `uv` (used by `hero_code`'s `python_exec`). Closes [home#170](https://forge.ourworld.tf/lhumina_code/home/issues/170) - [ ] **`hero_skills/development_mik_chrome_install`** — Google Chrome `.deb` apt source (Ubuntu's `chromium-browser` is a snap wrapper that fails on TF Grid flists). Closes [home#177](https://forge.ourworld.tf/lhumina_code/home/issues/177) - [ ] **`hero_skills/development_mik_onnxruntime`** — wget+tar both ONNX runtimes: 1.23.2 → `/usr/local/onnxruntime/`, 1.24.x → `/usr/local/onnxruntime-1.24/`. Closes [home#162](https://forge.ourworld.tf/lhumina_code/home/issues/162), partially [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) - [ ] **`hero_skills/development_mik_libreoffice`** — `apt install libreoffice-core libreoffice-impress libreoffice-writer libreoffice-calc` (used for at-click PDF preview generation). Closes [home#178](https://forge.ourworld.tf/lhumina_code/home/issues/178) prerequisite - [ ] **`hero_skills/development_mik_init_sh_env`** — `install.sh` reads `HERO_ROOTDIR` env var and skips the interactive prompt when set. Closes [home#164](https://forge.ourworld.tf/lhumina_code/home/issues/164) After Tier 1: runbook §2 (Bootstrap the VM) collapses from 6 manual steps to one `bash bootstrap.sh` invocation. ## Tier 2 — medium, requires nu-shell module understanding (`hero_skills` services + `hero_proxy`; ~1.5 days, ordered) Touches the actual nu-shell service modules. Each has internal ordering dependencies (Docker before OnlyOffice; ONNX install before embedder/voice env). - [ ] **`hero_skills/development_mik_service_set_after_install`** — `service_install_all.nu` calls `service.set` for every action it registers, eliminating the `herodemo_set_services.py` workaround. Closes [home#167](https://forge.ourworld.tf/lhumina_code/home/issues/167) - [ ] **`hero_skills/development_mik_embedder_env`** — `service_embedder.nu` sets `ORT_LIB_LOCATION=/usr/local/onnxruntime/lib`, `LD_LIBRARY_PATH=/usr/local/onnxruntime/lib`, `EMBEDDER_MODELS=/data/home/driver/hero/var/embedder/models`. Closes [home#166](https://forge.ourworld.tf/lhumina_code/home/issues/166) - [ ] **`hero_skills/development_mik_voice_env`** — `service_voice.nu` sets `ORT_LIB_LOCATION=/usr/local/onnxruntime-1.24/lib`, `LD_LIBRARY_PATH=/usr/local/onnxruntime-1.24/lib`, `ORT_PREFER_DYNAMIC_LINK=1`. Closes [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) (deploy-side) - [ ] **`hero_skills/development_mik_office_env`** — `service_office.nu` sets `ONLYOFFICE_JWT_SECRET` (from generated secret or env), `OO_SERVER_URL` (templated from public hostname), `OO_UPSTREAM_BASE=http://10.1.2.2:8088`, `CONNECTOR_EXTERNAL_URL=http://10.1.2.2:9990`. Closes [home#174](https://forge.ourworld.tf/lhumina_code/home/issues/174) (deploy-side) - [ ] **`hero_skills/development_mik_docker_btrfs`** — bootstrap installs Docker, sets `/etc/docker/daemon.json` with `data-root: /data/docker` + `storage-driver: btrfs`, starts via `nohup dockerd` (no systemd on TF Grid). Closes [home#181](https://forge.ourworld.tf/lhumina_code/home/issues/181) - [ ] **`hero_skills/development_mik_onlyoffice_install`** — new `service_onlyoffice.nu` module: `docker pull onlyoffice/documentserver:latest`, `docker run -d` with JWT secret, registers a hero_proc supervisor entry. Depends on `development_mik_docker_btrfs`. Closes [home#174](https://forge.ourworld.tf/lhumina_code/home/issues/174) end-to-end - [ ] **`hero_skills/development_mik_basic_auth`** — optional nginx + htpasswd setup driven by `HERO_AUTH_MODE=basic` env var (and credentials via `HERO_AUTH_BASIC_USER`/`HERO_AUTH_BASIC_PASS`). Closes [home#182](https://forge.ourworld.tf/lhumina_code/home/issues/182) (basic mode) - [ ] **`hero_proxy/development_mik_runbook_setup`** — installer-side helper that runs `proxy domain add ... --auth-mode <mode>` based on `HERO_AUTH_MODE` env (oauth/optional/bearer). Closes [home#182](https://forge.ourworld.tf/lhumina_code/home/issues/182) (canonical mode) After Tier 2: runbook §4.5 (action env patches), §10 (Docker), §11 (OnlyOffice), §12 (auth) all become flags on the install pipeline. ## Tier 3 — content seeding (`hero_demo`; ~0.5 days) - [ ] **`hero_demo/development_mik_seed_data`** — commit sample files to `hero_demo/data/seed/{office,diagrams,books}/`: - 3 `.vsdx` from Apache POI (already on VM, ready to extract) - 5 `.pptx` (Geomind-themed, pandoc-generated) - 5 `.xlsx` (openpyxl-generated) - companion `.pdf` for each (libreoffice-generated) - `libraries.txt` for hero_books - install-time hook in `service_office.nu` / `service_books.nu` to `cp` into `webdav/<context>/` Closes [home#183](https://forge.ourworld.tf/lhumina_code/home/issues/183) After Tier 3: runbook §7 (Seed content) becomes "automatic at install time." ## After Tier 1 + 2 + 3 — the simplified runbook ```bash # 1. Provision (terraform) cd hero_demo/deploy/single-vm cp envs/herodemo/tf/credentials.auto.tfvars.example envs/<NAME>/tf/credentials.auto.tfvars # edit with node_id, gateway_node, cpu, memory, rootfs_size=16384, publicip=true terraform -chdir=envs/<NAME>/tf init terraform -chdir=envs/<NAME>/tf apply -auto-approve # 2. Bootstrap (one curl) ssh root@<ipv4> "curl -fsSL https://forge.ourworld.tf/lhumina_code/hero_skills/raw/branch/development/install/bootstrap.sh | bash" # 3. Install services (one nu command) ssh root@<ipv4> "su - driver -c 'source ~/hero/cfg/init.sh && service_install_all'" # 4. (optional) Auth ssh root@<ipv4> "HERO_AUTH_MODE=optional service_install_all --reconfigure" # or HERO_AUTH_MODE=oauth + Google credentials, or HERO_AUTH_MODE=basic # 5. (optional) Restore from snapshot scp ~/heronu-backups/herodemo-backup-<ts>.tar.gz root@<ipv4>:/data/home/driver/ ssh root@<ipv4> "su - driver -c 'cd ~ && tar xzf herodemo-backup-*.tar.gz && hero_proc service restart-all'" # 6. Verify curl -s -o /dev/null -w '%{http_code}\n' https://<gw>.gent01.grid.tf/ ``` **Wall-clock target: 1.5 hours** (apt + cargo build dominate). ## Deferred — NOT Phase 2 (open issues, separate engineering) These are real upstream code work, NOT codify-the-runbook tasks: - [home#180](https://forge.ourworld.tf/lhumina_code/home/issues/180) — `hero_biz_ui` `Hero0Config` refactor for OSIS per-domain split. Multi-day. Native Business island works as alternative. - [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) (full unification) — unify `ort` crate version across `hero_voice` + `hero_embedder` so a single ONNX install suffices. Cross-repo, multi-day. - [home#175](https://forge.ourworld.tf/lhumina_code/home/issues/175) — OSIS admin UI aggregator (`/api/services` discovery). Design discussion needed. - [home#176](https://forge.ourworld.tf/lhumina_code/home/issues/176) — hero_books navbar fix (resolved by enabling `island-books-native` feature in the WASM build, not a code change to hero_books_ui). - [home#184](https://forge.ourworld.tf/lhumina_code/home/issues/184) — hero_books light-mode card contrast (same WASM-native enablement fix). - [home#147](https://forge.ourworld.tf/lhumina_code/home/issues/147) — Collab dark theme follow. - [home#178](https://forge.ourworld.tf/lhumina_code/home/issues/178) — at-click libreoffice PDF preview (orthogonal to OnlyOffice; libreoffice install via Tier 1 is the prerequisite). These can be picked up by devops independently. ## Process / quality gate Per [FIX_TRIAGE](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/FIX_TRIAGE.md): - Each branch is L2 (PR for review) — not direct push - Before pushing: run `cargo fmt --check && cargo clippy --workspace --all-targets -- -D warnings && cargo build --workspace --release` (or the nu-shell equivalent verification for `hero_skills` modules) - Each PR closes its associated home issue(s) via the commit message - Verify on a **fresh** TF Grid VM before declaring tier complete (live demo on herodemo isn't sufficient — too much accumulated state) ## Tracking This issue is the master tracker. Sub-tasks above will be checked off as branches merge. Linked PRs will appear here automatically. Once all three tiers ship, the runbook's §13 Category C goes empty and §14 Phase 2 gets a ✅ COMPLETE marker. Phase 3 (release artifacts so we don't `cargo build` per-deploy) becomes a separate conversation. Signed-off-by: mik-tf
mik-tf commented 2026-04-25 16:22:56 +00:00
Author
Owner
Copy link

Phase 2 progress — most of Tier 1 + Tier 2 landed in one PR

Strategy adjustment: rather than 13 separate development_mik_* branches on hero_skills, the work was bundled into one squash-merged commit on hero_skills/development.

Landed: hero_skills/PR #126 → squash commit 7c823d1

Tier 1 — done (collapsed into 7c823d1)

  • apt deps (libreoffice + libssl-dev + python3 + sqlite3 + jq + wget) — split: dev-only deps in PR #125 1379cc0; libreoffice in 7c823d1
  • uv install — already covered by existing install_py (uses astral.sh/uv/install.sh)
  • Google Chrome .debinstall_chrome (closes #177)
  • ONNX Runtime 1.23.2 + 1.24.4 side-by-side — install_onnxruntime (closes #162; partial #173)
  • LibreOffice — wired into install_base (closes #178)
  • HERO_ROOTDIR env override — find_rootdir in install.sh (closes #164)

Tier 2 — done (collapsed into 7c823d1)

  • service_complete aggregator (install + register + start in dependency order) — packages.nu (closes #167)
  • embedder env vars (ORT_LIB_LOCATION, LD_LIBRARY_PATH, EMBEDDER_MODELS) — service_embedder.nu (closes #166 for embedder)
  • voice env vars (ORT_LIB_LOCATION, LD_LIBRARY_PATH, ORT_PREFER_DYNAMIC_LINK=1) — service_voice.nu (closes #166 for voice; #170 deploy-side; #173 deploy-side)
  • office OO_UPSTREAM_BASE forwarding — service_office.nu
  • Docker + btrfs storage driver + nohup fallback — install_docker_btrfs (closes #181)
  • OnlyOffice container module — new service_onlyoffice.nu (closes #174)

Tier 2 — still TODO (separate branches)

  • hero_skills/development_mik_basic_auth — optional nginx + htpasswd setup (#182 basic mode)
  • hero_proxy/development_mik_runbook_setupproxy domain add ... --auth-mode <mode> driven by env (#182 canonical mode)

Tier 3 — still TODO

  • hero_demo/development_mik_seed_data — sample .vsdx/.pptx/.xlsx + libraries.txt (#183)

Issues closed today

#162, #164, #166, #167, #174, #177, #178, #181 — all resolved by 7c823d1.

#170 (voice ORT_PREFER_DYNAMIC_LINK) and #173 (full ort unification) left open — deploy-side is fixed but upstream ort crate work remains.

Validation

All changed nu modules load cleanly under nu -c "use ..." (parser-only — runtime validation needs a TF Grid VM).

Next sessions: basic-auth helper, hero_proxy runbook setup, seed data.

Signed-off-by: mik-tf

## Phase 2 progress — most of Tier 1 + Tier 2 landed in one PR Strategy adjustment: rather than 13 separate `development_mik_*` branches on hero_skills, the work was bundled into one squash-merged commit on `hero_skills/development`. **Landed:** [hero_skills/PR #126](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/126) → squash commit [`7c823d1`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/7c823d1) ### Tier 1 — done (collapsed into 7c823d1) - [x] apt deps (libreoffice + libssl-dev + python3 + sqlite3 + jq + wget) — split: dev-only deps in [PR #125](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/125) `1379cc0`; libreoffice in `7c823d1` - [x] `uv` install — already covered by existing `install_py` (uses `astral.sh/uv/install.sh`) - [x] Google Chrome `.deb` — `install_chrome` (closes #177) - [x] ONNX Runtime 1.23.2 + 1.24.4 side-by-side — `install_onnxruntime` (closes #162; partial #173) - [x] LibreOffice — wired into `install_base` (closes #178) - [x] `HERO_ROOTDIR` env override — `find_rootdir` in `install.sh` (closes #164) ### Tier 2 — done (collapsed into 7c823d1) - [x] `service_complete` aggregator (install + register + start in dependency order) — `packages.nu` (closes #167) - [x] embedder env vars (`ORT_LIB_LOCATION`, `LD_LIBRARY_PATH`, `EMBEDDER_MODELS`) — `service_embedder.nu` (closes #166 for embedder) - [x] voice env vars (`ORT_LIB_LOCATION`, `LD_LIBRARY_PATH`, `ORT_PREFER_DYNAMIC_LINK=1`) — `service_voice.nu` (closes #166 for voice; #170 deploy-side; #173 deploy-side) - [x] office `OO_UPSTREAM_BASE` forwarding — `service_office.nu` - [x] Docker + btrfs storage driver + nohup fallback — `install_docker_btrfs` (closes #181) - [x] OnlyOffice container module — new `service_onlyoffice.nu` (closes #174) ### Tier 2 — still TODO (separate branches) - [ ] **`hero_skills/development_mik_basic_auth`** — optional nginx + htpasswd setup (#182 basic mode) - [ ] **`hero_proxy/development_mik_runbook_setup`** — `proxy domain add ... --auth-mode <mode>` driven by env (#182 canonical mode) ### Tier 3 — still TODO - [ ] **`hero_demo/development_mik_seed_data`** — sample .vsdx/.pptx/.xlsx + libraries.txt (#183) ### Issues closed today #162, #164, #166, #167, #174, #177, #178, #181 — all resolved by `7c823d1`. #170 (voice ORT_PREFER_DYNAMIC_LINK) and #173 (full ort unification) left **open** — deploy-side is fixed but upstream `ort` crate work remains. ### Validation All changed nu modules load cleanly under `nu -c "use ..."` (parser-only — runtime validation needs a TF Grid VM). Next sessions: basic-auth helper, hero_proxy runbook setup, seed data. Signed-off-by: mik-tf
mik-tf commented 2026-04-25 16:55:47 +00:00
Author
Owner
Copy link

Phase 2 'what's left' — all 5 PRs opened

Five PRs ready for review covering the remaining what's left items from the boss-message snapshot. Each is independent — they can be reviewed and merged in any order.

PR Repo Closes Summary
hero_skills #127 hero_skills §4.4 (3 manual action.set invocations) New service_agent module (was missing entirely from hero_skills); service_biz HERO0_BASE_URL env override; service_router env-driven --address + --ui-port
hero_skills #128 hero_skills §6 WASM build New service_os wasm_build export + service_complete --wasm flag — runs make build-wasm + install-assets-release and restarts hero_os
hero_skills #129 hero_skills §12.1 (basic auth) New basic_auth_setup helper (nginx + htpasswd) for the demo path
hero_skills #130 hero_skills §12.2 (canonical auth) New proxy_auth_setup helper — wraps hero_proxy domain add --auth-mode oauth/bearer/optional driven by env vars
hero_demo #1 hero_demo §7 seed content data/seed/ with pandoc/openpyxl source inputs + seed_install.sh orchestrator that generates .docx/.xlsx/.pdf on the VM and copies into hero_foundry webdav

After all five land, the §0.1 Quick path becomes truly hot-fix-free for the happy path (basic-auth or hero_proxy auth picked per deploy). Validation on each PR is parser-only (nu -c "use ..." + bash/python AST) — runtime needs a TF Grid VM. Awaiting verification + green-light before squash-merging.

Signed-off-by: mik-tf

## Phase 2 'what's left' — all 5 PRs opened Five PRs ready for review covering the remaining `what's left` items from the boss-message snapshot. Each is independent — they can be reviewed and merged in any order. | PR | Repo | Closes | Summary | |----|------|--------|---------| | [hero_skills #127](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/127) | hero_skills | §4.4 (3 manual `action.set` invocations) | New `service_agent` module (was missing entirely from hero_skills); `service_biz` `HERO0_BASE_URL` env override; `service_router` env-driven `--address` + `--ui-port` | | [hero_skills #128](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/128) | hero_skills | §6 WASM build | New `service_os wasm_build` export + `service_complete --wasm` flag — runs `make build-wasm` + `install-assets-release` and restarts hero_os | | [hero_skills #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) | hero_skills | §12.1 (basic auth) | New `basic_auth_setup` helper (nginx + htpasswd) for the demo path | | [hero_skills #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130) | hero_skills | §12.2 (canonical auth) | New `proxy_auth_setup` helper — wraps `hero_proxy domain add --auth-mode oauth/bearer/optional` driven by env vars | | [hero_demo #1](https://forge.ourworld.tf/lhumina_code/hero_demo/pulls/1) | hero_demo | §7 seed content | `data/seed/` with pandoc/openpyxl source inputs + `seed_install.sh` orchestrator that generates `.docx`/`.xlsx`/`.pdf` on the VM and copies into hero_foundry webdav | After all five land, the §0.1 Quick path becomes truly hot-fix-free for the happy path (basic-auth or hero_proxy auth picked per deploy). Validation on each PR is parser-only (`nu -c "use ..."` + bash/python AST) — runtime needs a TF Grid VM. Awaiting verification + green-light before squash-merging. Signed-off-by: mik-tf
mik-tf commented 2026-04-25 20:39:11 +00:00
Author
Owner
Copy link

Phase 2 'what's left' — all 5 PRs merged

All five squash-merged to development:

PR Commit What
hero_skills #127 60375f4 new service_agent + service_biz/service_router env wiring
hero_skills #128 6d1f725 service_os wasm_build + service_complete --wasm
hero_skills #129 011dd83 basic_auth_setup (demo nginx gate)
hero_skills #130 f17e99c proxy_auth_setup (canonical hero_proxy auth)
hero_demo #1 9318fd0 data/seed/ + seed_install.sh

Pre-merge audit caught 3 real bugs (AIBROKER URL scheme, stale :6666 port, cd cwd leak) — all fixed before merge.

Issues closed

#182 (auth — both deploy modes shipped), #183 (seed data).

New tracker filed

home#186 — finalize prod auth on hero_proxy and remove demo nginx helper. Operators currently choose between two auth paths; long-term we want exactly one.

What's left in Phase 2

  • home#168 — embedder build retry race (cosmetic, recoverable)
  • home#173ort crate version unification (multi-day cross-repo refactor; deploy-side workaround in place)
  • home#180hero_biz Hero0Config → OSIS per-domain refactor (multi-day; native Business island works as alternative)
  • home#186 — finalize prod auth (NEW)

The Quick path in DEPLOYMENT_NU_HERO_OS.md is now end-to-end nu commands (modulo §5 backup restore which only matters when migrating data). Runbook updated at f2444ad on hero_demo/development.

This issue stays open until the four remaining items resolve — keeps it as the umbrella tracker.

Signed-off-by: mik-tf

## Phase 2 'what's left' — all 5 PRs merged ✅ All five squash-merged to `development`: | PR | Commit | What | |----|--------|------| | [hero_skills #127](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/127) | [`60375f4`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/60375f4) | new `service_agent` + service_biz/service_router env wiring | | [hero_skills #128](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/128) | [`6d1f725`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/6d1f725) | `service_os wasm_build` + `service_complete --wasm` | | [hero_skills #129](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/129) | [`011dd83`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/011dd83) | `basic_auth_setup` (demo nginx gate) | | [hero_skills #130](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/130) | [`f17e99c`](https://forge.ourworld.tf/lhumina_code/hero_skills/commit/f17e99c) | `proxy_auth_setup` (canonical hero_proxy auth) | | [hero_demo #1](https://forge.ourworld.tf/lhumina_code/hero_demo/pulls/1) | [`9318fd0`](https://forge.ourworld.tf/lhumina_code/hero_demo/commit/9318fd0) | `data/seed/` + `seed_install.sh` | Pre-merge audit caught **3 real bugs** (AIBROKER URL scheme, stale `:6666` port, `cd` cwd leak) — all fixed before merge. ### Issues closed #182 (auth — both deploy modes shipped), #183 (seed data). ### New tracker filed [home#186](https://forge.ourworld.tf/lhumina_code/home/issues/186) — finalize prod auth on `hero_proxy` and remove demo nginx helper. Operators currently choose between two auth paths; long-term we want exactly one. ### What's left in Phase 2 - [home#168](https://forge.ourworld.tf/lhumina_code/home/issues/168) — embedder build retry race (cosmetic, recoverable) - [home#173](https://forge.ourworld.tf/lhumina_code/home/issues/173) — `ort` crate version unification (multi-day cross-repo refactor; deploy-side workaround in place) - [home#180](https://forge.ourworld.tf/lhumina_code/home/issues/180) — `hero_biz` `Hero0Config` → OSIS per-domain refactor (multi-day; native Business island works as alternative) - [home#186](https://forge.ourworld.tf/lhumina_code/home/issues/186) — finalize prod auth (NEW) The Quick path in [DEPLOYMENT_NU_HERO_OS.md](https://forge.ourworld.tf/lhumina_code/hero_demo/src/branch/development/docs/ops/DEPLOYMENT_NU_HERO_OS.md) is now end-to-end nu commands (modulo §5 backup restore which only matters when migrating data). Runbook updated at `f2444ad` on `hero_demo/development`. This issue stays open until the four remaining items resolve — keeps it as the umbrella tracker. Signed-off-by: mik-tf
mik-tf commented 2026-04-28 12:21:29 +00:00
Author
Owner
Copy link

Moved to hero_demo#36 — see lhumina_code/hero_demo#36

Moved to hero_demo#36 — see https://forge.ourworld.tf/lhumina_code/hero_demo/issues/36
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#185
No description provided.