lhumina_code/home
0
0
Fork 0
Code Issues 63 Pull requests Projects Releases Packages Wiki Activity Actions

[META] Hero OS demo Phase 2 — Forge SSO + complete e2e UX #237

New issue
Closed
opened 2026-05-26 03:53:35 +00:00 by mik-tf · 5 comments
mik-tf commented 2026-05-26 03:53:35 +00:00
Owner
Copy link

Post-closure clarification, 2026-05-27: user-tested SSO confirms the perimeter is correct: cockpit and deployer paths on https://hcockpit.gent01.qa.grid.tf are restricted until Forge login at forge.ourworld.tf. This issue remains closed for the Phase 2 auth substrate: Forge SSO, admin allowlist, and persisted OAuth-token use. The screenshot after login still shows the Hero Cockpit Admin scaffold, so full admin/tester UX completion is now tracked separately in home#238.

Session 166 closed on 2026-05-27: fixed hero_proxy#56 gateway-listener env seeding and recorded the post-SSO admin/tester UX audit in e2e_checklist.md; next work is deployer admin provisioning UX hardening.

Session 165 closed Phase 2 on 2026-05-26: Forge SSO, persisted OAuth token use, cockpit repo widget, and admin allowlist denial were live-verified on the public QA admin VM; follow-up issues are linked from the closure comment.

Hero OS demo Phase 2 - v1 Hero tester environment

Session 163.5 (planning refresh, 2026-05-26) finalized the closure plan for session 164. Admin VM 0062 was torn down, QA node 5 freshly re-rented, dual-admin design adopted (mik-tf + scott in ADMIN_FORGE_USERS and on the admin VM SSH authorized_keys). Full s164 plan is in the latest comment on this issue (closure-plan comment id 37068).

Session 160 opened this issue (2026-05-26) after closing home#235 as Phase 1 shipped. Phase 2 session 1 closed at session 161 as an investigation that surfaced the OAuth implementation gap. Implementation began at session 162 (substrate in hero_proxy, D-31). Session 163 shipped the cockpit consumer side (D-32 + L-10, hero_proxy@1d54373 + hero_cockpit@386c412, full pre-merge gate green on both repos). Session 164 redeploys admin VM 0062 + live-verifies the full SSO walk + closes this arc.

Phase 1 (home#235) shipped the substrate. Public URL live at https://hcockpit.gent01.qa.grid.tf/, admin VM provisions tester VMs end-to-end on TFGrid, cockpit and services management work, deployer admin UI for users and VMs is committed.

Phase 2 closes the loop into the v1 Hero tester environment: a polished self-service flow where a tester can walk top to bottom without operator hand-holding, gated by their existing forge.ourworld.tf account.

Executive summary

Today the demo works only with someone guiding the tester. Phase 2 removes the hand-holding by gating both admin and user surfaces behind Forge SSO (same login as forge.ourworld.tf), with the admin allowlist controlling who can act as an operator. End-state: an operator types a username, delivers the temp password to the tester out of band (Telegram is fine for v1), the tester signs into Forge once, comes to the cockpit URL, authorizes Hero Cockpit on the standard OAuth consent screen, and lands on their personal Hero OS environment where they can use Books, Slides, and Planner. No passwords pasted into cockpit, no admin URL exposed to outsiders, no email-sender service required.

The v1 walk (the complete e2e UX)

What a non-engineer should be able to walk top to bottom:

  1. Operator deploys an admin VM following the documented runbook. Admin VM gets a public URL behind the TFGrid Web Gateway (TLS terminated at the gateway).
  2. Operator configures the admin allowlist by setting a secret slot listing the forge.ourworld.tf usernames who are admins on this VM. One line of operator action.
  3. Admin opens the admin URL in a browser. Page redirects to forge.ourworld.tf for sign-in. After signing in with their existing Forge account, the page checks they are in the allowlist and lands them on the admin dashboard. Outsiders hitting the URL get a sign-in prompt and a 403 if not in the allowlist.
  4. Admin adds a new tester via a form on the admin dashboard. Form takes Forge username, email, and display name. The deployer mints the Forge user with a one-time initial password. The password is shown to the admin on the page once for out-of-band delivery (Telegram or any direct messenger).
  5. The tester receives the temp password via Telegram from the admin, along with the cockpit URL.
  6. Tester opens forge.ourworld.tf with the temp password, gets forced into a password change on first login, uploads their SSH public key from Settings.
  7. Tester opens the cockpit URL from the message. Page redirects to forge.ourworld.tf SSO. Tester signs in (if not still signed in from step 6).
  8. Tester sees the standard OAuth consent screen: "Hero Cockpit wants to read your profile and write to your workspace repositories on your behalf. [Authorize]". Tester clicks Authorize once.
  9. Tester lands on their personal cockpit. Their Forge identity carries through automatically. They can open Books with the default content libraries preloaded, work in Slides, plan in Planner.
  10. Admin at any time can see all users and their VMs from the SSO-gated admin dashboard, regenerate a tester'''s password (display once for out-of-band delivery), destroy a VM, or destroy a user.

What changes vs Phase 1

Concern Phase 1 (today) Phase 2 (this issue)
Admin URL Open to the internet, scaffold placeholder SSO-gated, real users and VMs surface (admin UI code already committed)
User cockpit Open to anyone with the URL, paste-token onboarding SSO-gated, OAuth consent grants ongoing API access automatically
Tester onboarding Manual email out of band plus 4-step paste-token walk Manual temp-password delivery plus one-click OAuth consent
Admin allowlist Implicit (anyone with the URL is admin) Explicit secret slot, only listed Forge users are admins
Cockpit Forge API access Manual personal access token paste OAuth access plus refresh token persisted automatically

The OAuth integration shape

We use the standard Forgejo OAuth 2.0 flow with PKCE-S256. On consent, Forge issues both an access_token (short-lived) and a refresh_token (long-lived). The cockpit persists both in a per-user secret slot and refreshes the access_token automatically when it expires. All downstream Forge API calls the cockpit makes on the user'''s behalf (writing workspace data back to Forge, syncing books, posting feedback) use this token. The user never has to manually generate or paste a personal access token. Token rotation is invisible.

Where the OAuth implementation lives. hero_proxy already ships a complete OAuth 2.0 + OIDC implementation (PKCE-S256, CSRF state store with TTL sweep, well-known provider URL presets including Forge, session cookies with the __Host- prefix, database-backed provider config, callback handler, claims-based per-method authorization). Phase 2 uses this existing implementation directly. Forge is registered as a provider via the existing oauth.set_provider RPC. Backend admin panels and cockpit consume identity from hero_proxy via the canonical injected-claims headers (X-Hero-User, X-Hero-Claims, X-Hero-Context) per the workspace authorization model. The only net-new behaviour Phase 2 adds is (a) persisting the OAuth access plus refresh tokens to a per-user secret slot at callback time (today the existing flow drops the upstream token after building the session), and (b) the admin allowlist gating layer that reads from a secret slot. No new shared OAuth library is introduced; the workspace already has the OAuth substrate in the right place.

Implementation plan (4 sessions)

# Session Head Estimated
1 Investigation (closed at session 161). Surfaced that the OAuth substrate already lives in hero_proxy (oauth + oidc modules, ~750 LOC, production-complete with PKCE-S256 plus OIDC plus Forge preset plus DB-backed provider config plus session cookies). No new shared library is needed. The session-161 standalone crate experiment was archived as off-pattern relative to the canonical workspace shared-library structure. Phase 2 implementation begins at session 162. done
2 Wire Forge SSO into hero_proxy using the existing OAuth implementation: seed Forge as a provider on startup from cockpit/FORGE_OAUTH_CLIENT_ID and cockpit/FORGE_OAUTH_CLIENT_SECRET secret slots, extend the existing callback handler to persist access plus refresh tokens to per-user secret slots, add an admin allowlist middleware reading deployer/ADMIN_FORGE_USERS, inject identity headers (X-Hero-User, X-Hero-Claims) downstream to cockpit and admin handlers. 3-4h
3 Cockpit drops the paste-token flow in favor of the SSO-injected identity headers. The /welcome page is either removed or kept as a documented fallback for headless / scripted users. Cockpit'''s downstream Forge API calls switch from reading the legacy USER_FORGE_TOKEN slot to reading the new per-user OAuth token slot (with the refresh-on-expiry logic inlined in cockpit'''s API client). 2-3h
4 Redeploy admin VM with the full v1 stack. Live-verify the complete e2e walk top to bottom with a real test user. Update the operator runbook with the new steps (how to register the Forge OAuth application, how to set the admin allowlist, how to deliver temp passwords manually via Telegram). 2-3h

Total: 3 implementation sessions remaining (162, 163, 164), roughly 7 to 10 hours focused work.

The current admin VM at hcockpit.gent01.qa.grid.tf continues to serve the placeholder admin scaffold (no real admin UI exposed) until session 4 redeploys it. The session 160 admin UI commits are on the development branch but intentionally not deployed yet, because deploying them today would expose privileged actions to the open internet.

Existing substrate to reuse

  • Forge OAuth implementation: hero_proxy/crates/hero_proxy_server/src/oauth.rs (458 LOC) plus oidc.rs (278 LOC) plus auth.rs plus authz.rs. PKCE-S256 with state-store TTL sweep, OIDC id_token validation, Forge preset in known_provider_urls, callback handler at GET /oauth/callback, session cookie utilities, per-method claims authorization. Phase 2 extends this in-place. A parallel inlined implementation lives in hero_onboarding/crates/hero_onboarding_server/src/forge_oauth.rs (~542 LOC, locked under hero_onboarding'''s own dual-auth design); both implementations stay; Phase 2 does not consolidate them since the Phase 2 consumer is hero_proxy, not hero_onboarding.
  • Admin UI: shipped in session 160 at hero_tfgrid_deployer/crates/hero_tfgrid_deployer_admin. Users list, create user, provision VM, regenerate password, destroy user/VM all wired. Just needs to be put behind the auth gate.
  • Onboarding shell: shipped in session 160 at hero_cockpit/crates/hero_cockpit_web (the /welcome paste-token flow). Becomes a fallback for headless / scripted users once SSO ships; the primary flow is sign-in-with-Forge.
  • Public URL plus TLS: live at hcockpit.gent01.qa.grid.tf, TLS terminated at the TFGrid Web Gateway. No changes needed.
  • Deployer RPC backbone: create_user, list_users, provision_vm, list_vms, regenerate_password, delete_vm, delete_user all shipped and working. No changes needed.
  • Default content libraries: hero_books default-load wire shipped in session 159 (4 public repos preloaded on first boot). No changes needed.
  • Canonical authorization model: hero_router injects X-Hero-Claims, X-Hero-Context, X-Hero-User headers; downstream services do authorization against the injected claims and do not authenticate users themselves. Cockpit and admin handlers receive identity this way at runtime.

Apps in scope for v1

User-facing apps available from the cockpit on a v1 tester VM:

  • Hero Books (with default content libraries)
  • Hero Slides
  • Hero Planner

That alone is a meaningful start for the tester walk. The cockpit also surfaces services management, settings, and the per-service manual.

Out of scope for v1 (filed as separate sub-trackers when scoped)

These are real gaps in the executable checklist but each has its own substrate and wants its own arc framing:

  • Cockpit chat surface (B-29) in hero_agent integration land
  • Assistant grounding pipeline (CC-3) in hero_embedder plus hero_indexer land
  • Voice widget integration (B-23) in hero_voice land
  • Welcome email automation (A-18) deferred; manual delivery via Telegram is the v1 channel
  • Multi-VM concurrent isolation at scale (multiple users sharing a node)
  • Per-VM live event log streaming in admin UI (stretch goal, may land in session 2 if scope allows)

Acceptance criteria

  1. Anonymous visit to the admin URL redirects to forge.ourworld.tf, signs in, lands on admin if the Forge username is in the allowlist, returns 403 if not.
  2. Anonymous visit to the cockpit URL redirects to forge.ourworld.tf, signs in, shows the OAuth consent screen, and after consent lands on the cockpit with the Forge identity active and no further setup required.
  3. Admin can create a new tester from the admin UI; the page displays the temp password once; the admin can copy and deliver it out of band.
  4. The tester completes steps 6 through 9 of the v1 walk above without operator intervention.
  5. The cockpit makes at least one Forge API call on the user'''s behalf using the persisted OAuth token (proof that the token-persistence layer works; the specific call exercised in acceptance is captured at session 4 close).
  6. The executable checklist rows flip Have for B-5, CC-4, A-20 through A-25; a new row is added for the SSO-gated user landing.
  7. The operator runbook documents the Forge OAuth application registration step, the admin allowlist secret slot, and the temp-password delivery convention.

Cross-links

  • Phase 1 tracker (closed): #235
  • Forge OAuth implementation used by Phase 2: https://forge.ourworld.tf/lhumina_code/hero_proxy (oauth.rs plus oidc.rs in hero_proxy_server)
  • Parallel inlined implementation kept in place: https://forge.ourworld.tf/lhumina_code/hero_onboarding (forge_oauth.rs)
  • Email provider lock (deferred for v1, kept as a reference for the eventual A-18 follow-up): #236
  • Executable checklist: lhumina_code/home/docs/channels/free/e2e_checklist.md
  • Narrative reference: lhumina_code/home/docs/channels/free-and-paid.md
  • Admin VM deployment runbook: lhumina_code/home/docs/channels/free/admin-vm-deployment-runbook.md
  • Forge OAuth setup runbook: lhumina_code/home/docs/channels/free/forge-oauth-setup.md
  • Session 160 commits (the Phase 2 starting baseline): hero_tfgrid_deployer@7036a9f (admin UI), hero_cockpit@8ef1108 (paste-token onboarding fallback).
  • Substrate decisions: D-22 (Forge token namespacing), D-23 (SSH custody), D-26 (self-hosted compute), D-27 (substrate await on-chain ack), D-28 (TLS at TFGrid Web Gateway), D-30 (demo target QA fallback), hero_onboarding D-18 (PKCE-S256 OAuth wire spec).
**Post-closure clarification, 2026-05-27:** user-tested SSO confirms the perimeter is correct: cockpit and deployer paths on `https://hcockpit.gent01.qa.grid.tf` are restricted until Forge login at `forge.ourworld.tf`. This issue remains closed for the Phase 2 auth substrate: Forge SSO, admin allowlist, and persisted OAuth-token use. The screenshot after login still shows the Hero Cockpit Admin scaffold, so full admin/tester UX completion is now tracked separately in [home#238](https://forge.ourworld.tf/lhumina_code/home/issues/238). **Session 166 closed on 2026-05-27:** fixed hero_proxy#56 gateway-listener env seeding and recorded the post-SSO admin/tester UX audit in e2e_checklist.md; next work is deployer admin provisioning UX hardening. **Session 165 closed Phase 2 on 2026-05-26:** Forge SSO, persisted OAuth token use, cockpit repo widget, and admin allowlist denial were live-verified on the public QA admin VM; follow-up issues are linked from the closure comment. # Hero OS demo Phase 2 - v1 Hero tester environment **Session 163.5 (planning refresh, 2026-05-26) finalized the closure plan for session 164.** Admin VM `0062` was torn down, QA node 5 freshly re-rented, dual-admin design adopted (mik-tf + scott in `ADMIN_FORGE_USERS` and on the admin VM SSH authorized_keys). Full s164 plan is in the latest comment on this issue (closure-plan comment id 37068). **Session 160 opened this issue** (2026-05-26) after closing [home#235](https://forge.ourworld.tf/lhumina_code/home/issues/235) as Phase 1 shipped. Phase 2 session 1 closed at session 161 as an investigation that surfaced the OAuth implementation gap. Implementation began at session 162 (substrate in hero_proxy, D-31). Session 163 shipped the cockpit consumer side (D-32 + L-10, hero_proxy@1d54373 + hero_cockpit@386c412, full pre-merge gate green on both repos). Session 164 redeploys admin VM 0062 + live-verifies the full SSO walk + closes this arc. **Phase 1 ([home#235](https://forge.ourworld.tf/lhumina_code/home/issues/235)) shipped the substrate.** Public URL live at https://hcockpit.gent01.qa.grid.tf/, admin VM provisions tester VMs end-to-end on TFGrid, cockpit and services management work, deployer admin UI for users and VMs is committed. Phase 2 closes the loop into the **v1 Hero tester environment**: a polished self-service flow where a tester can walk top to bottom without operator hand-holding, gated by their existing forge.ourworld.tf account. ## Executive summary Today the demo works only with someone guiding the tester. Phase 2 removes the hand-holding by gating both admin and user surfaces behind Forge SSO (same login as forge.ourworld.tf), with the admin allowlist controlling who can act as an operator. End-state: an operator types a username, delivers the temp password to the tester out of band (Telegram is fine for v1), the tester signs into Forge once, comes to the cockpit URL, authorizes Hero Cockpit on the standard OAuth consent screen, and lands on their personal Hero OS environment where they can use Books, Slides, and Planner. No passwords pasted into cockpit, no admin URL exposed to outsiders, no email-sender service required. ## The v1 walk (the complete e2e UX) What a non-engineer should be able to walk top to bottom: 1. **Operator deploys an admin VM** following the documented runbook. Admin VM gets a public URL behind the TFGrid Web Gateway (TLS terminated at the gateway). 2. **Operator configures the admin allowlist** by setting a secret slot listing the forge.ourworld.tf usernames who are admins on this VM. One line of operator action. 3. **Admin opens the admin URL** in a browser. Page redirects to forge.ourworld.tf for sign-in. After signing in with their existing Forge account, the page checks they are in the allowlist and lands them on the admin dashboard. Outsiders hitting the URL get a sign-in prompt and a 403 if not in the allowlist. 4. **Admin adds a new tester** via a form on the admin dashboard. Form takes Forge username, email, and display name. The deployer mints the Forge user with a one-time initial password. The password is shown to the admin on the page once for out-of-band delivery (Telegram or any direct messenger). 5. **The tester receives the temp password** via Telegram from the admin, along with the cockpit URL. 6. **Tester opens forge.ourworld.tf** with the temp password, gets forced into a password change on first login, uploads their SSH public key from Settings. 7. **Tester opens the cockpit URL** from the message. Page redirects to forge.ourworld.tf SSO. Tester signs in (if not still signed in from step 6). 8. **Tester sees the standard OAuth consent screen:** "Hero Cockpit wants to read your profile and write to your workspace repositories on your behalf. [Authorize]". Tester clicks Authorize once. 9. **Tester lands on their personal cockpit.** Their Forge identity carries through automatically. They can open Books with the default content libraries preloaded, work in Slides, plan in Planner. 10. **Admin at any time** can see all users and their VMs from the SSO-gated admin dashboard, regenerate a tester'''s password (display once for out-of-band delivery), destroy a VM, or destroy a user. ## What changes vs Phase 1 | Concern | Phase 1 (today) | Phase 2 (this issue) | |---|---|---| | Admin URL | Open to the internet, scaffold placeholder | SSO-gated, real users and VMs surface (admin UI code already committed) | | User cockpit | Open to anyone with the URL, paste-token onboarding | SSO-gated, OAuth consent grants ongoing API access automatically | | Tester onboarding | Manual email out of band plus 4-step paste-token walk | Manual temp-password delivery plus one-click OAuth consent | | Admin allowlist | Implicit (anyone with the URL is admin) | Explicit secret slot, only listed Forge users are admins | | Cockpit Forge API access | Manual personal access token paste | OAuth access plus refresh token persisted automatically | ## The OAuth integration shape We use the standard Forgejo OAuth 2.0 flow with PKCE-S256. On consent, Forge issues both an access_token (short-lived) and a refresh_token (long-lived). The cockpit persists both in a per-user secret slot and refreshes the access_token automatically when it expires. All downstream Forge API calls the cockpit makes on the user'''s behalf (writing workspace data back to Forge, syncing books, posting feedback) use this token. The user never has to manually generate or paste a personal access token. Token rotation is invisible. **Where the OAuth implementation lives.** `hero_proxy` already ships a complete OAuth 2.0 + OIDC implementation (PKCE-S256, CSRF state store with TTL sweep, well-known provider URL presets including Forge, session cookies with the __Host- prefix, database-backed provider config, callback handler, claims-based per-method authorization). Phase 2 uses this existing implementation directly. Forge is registered as a provider via the existing `oauth.set_provider` RPC. Backend admin panels and cockpit consume identity from `hero_proxy` via the canonical injected-claims headers (`X-Hero-User`, `X-Hero-Claims`, `X-Hero-Context`) per the workspace authorization model. The only net-new behaviour Phase 2 adds is (a) persisting the OAuth access plus refresh tokens to a per-user secret slot at callback time (today the existing flow drops the upstream token after building the session), and (b) the admin allowlist gating layer that reads from a secret slot. No new shared OAuth library is introduced; the workspace already has the OAuth substrate in the right place. ## Implementation plan (4 sessions) | # | Session | Head | Estimated | |---|---|---|---| | 1 | **Investigation (closed at session 161).** Surfaced that the OAuth substrate already lives in `hero_proxy` (oauth + oidc modules, ~750 LOC, production-complete with PKCE-S256 plus OIDC plus Forge preset plus DB-backed provider config plus session cookies). No new shared library is needed. The session-161 standalone crate experiment was archived as off-pattern relative to the canonical workspace shared-library structure. Phase 2 implementation begins at session 162. | done | | 2 | Wire Forge SSO into `hero_proxy` using the existing OAuth implementation: seed Forge as a provider on startup from `cockpit/FORGE_OAUTH_CLIENT_ID` and `cockpit/FORGE_OAUTH_CLIENT_SECRET` secret slots, extend the existing callback handler to persist access plus refresh tokens to per-user secret slots, add an admin allowlist middleware reading `deployer/ADMIN_FORGE_USERS`, inject identity headers (`X-Hero-User`, `X-Hero-Claims`) downstream to cockpit and admin handlers. | 3-4h | | 3 | Cockpit drops the paste-token flow in favor of the SSO-injected identity headers. The /welcome page is either removed or kept as a documented fallback for headless / scripted users. Cockpit'''s downstream Forge API calls switch from reading the legacy USER_FORGE_TOKEN slot to reading the new per-user OAuth token slot (with the refresh-on-expiry logic inlined in cockpit'''s API client). | 2-3h | | 4 | Redeploy admin VM with the full v1 stack. Live-verify the complete e2e walk top to bottom with a real test user. Update the operator runbook with the new steps (how to register the Forge OAuth application, how to set the admin allowlist, how to deliver temp passwords manually via Telegram). | 2-3h | **Total: 3 implementation sessions remaining (162, 163, 164), roughly 7 to 10 hours focused work.** The current admin VM at hcockpit.gent01.qa.grid.tf continues to serve the placeholder admin scaffold (no real admin UI exposed) until session 4 redeploys it. The session 160 admin UI commits are on the development branch but intentionally not deployed yet, because deploying them today would expose privileged actions to the open internet. ## Existing substrate to reuse - **Forge OAuth implementation**: `hero_proxy/crates/hero_proxy_server/src/oauth.rs` (458 LOC) plus `oidc.rs` (278 LOC) plus `auth.rs` plus `authz.rs`. PKCE-S256 with state-store TTL sweep, OIDC id_token validation, Forge preset in `known_provider_urls`, callback handler at `GET /oauth/callback`, session cookie utilities, per-method claims authorization. Phase 2 extends this in-place. **A parallel inlined implementation lives in `hero_onboarding/crates/hero_onboarding_server/src/forge_oauth.rs`** (~542 LOC, locked under hero_onboarding'''s own dual-auth design); both implementations stay; Phase 2 does not consolidate them since the Phase 2 consumer is `hero_proxy`, not hero_onboarding. - **Admin UI**: shipped in session 160 at hero_tfgrid_deployer/crates/hero_tfgrid_deployer_admin. Users list, create user, provision VM, regenerate password, destroy user/VM all wired. Just needs to be put behind the auth gate. - **Onboarding shell**: shipped in session 160 at hero_cockpit/crates/hero_cockpit_web (the /welcome paste-token flow). Becomes a fallback for headless / scripted users once SSO ships; the primary flow is sign-in-with-Forge. - **Public URL plus TLS**: live at hcockpit.gent01.qa.grid.tf, TLS terminated at the TFGrid Web Gateway. No changes needed. - **Deployer RPC backbone**: create_user, list_users, provision_vm, list_vms, regenerate_password, delete_vm, delete_user all shipped and working. No changes needed. - **Default content libraries**: hero_books default-load wire shipped in session 159 (4 public repos preloaded on first boot). No changes needed. - **Canonical authorization model**: `hero_router` injects `X-Hero-Claims`, `X-Hero-Context`, `X-Hero-User` headers; downstream services do authorization against the injected claims and do not authenticate users themselves. Cockpit and admin handlers receive identity this way at runtime. ## Apps in scope for v1 User-facing apps available from the cockpit on a v1 tester VM: - **Hero Books** (with default content libraries) - **Hero Slides** - **Hero Planner** That alone is a meaningful start for the tester walk. The cockpit also surfaces services management, settings, and the per-service manual. ## Out of scope for v1 (filed as separate sub-trackers when scoped) These are real gaps in the executable checklist but each has its own substrate and wants its own arc framing: - **Cockpit chat surface (B-29)** in hero_agent integration land - **Assistant grounding pipeline (CC-3)** in hero_embedder plus hero_indexer land - **Voice widget integration (B-23)** in hero_voice land - **Welcome email automation (A-18)** deferred; manual delivery via Telegram is the v1 channel - **Multi-VM concurrent isolation at scale** (multiple users sharing a node) - **Per-VM live event log streaming in admin UI** (stretch goal, may land in session 2 if scope allows) ## Acceptance criteria 1. Anonymous visit to the admin URL redirects to forge.ourworld.tf, signs in, lands on admin if the Forge username is in the allowlist, returns 403 if not. 2. Anonymous visit to the cockpit URL redirects to forge.ourworld.tf, signs in, shows the OAuth consent screen, and after consent lands on the cockpit with the Forge identity active and no further setup required. 3. Admin can create a new tester from the admin UI; the page displays the temp password once; the admin can copy and deliver it out of band. 4. The tester completes steps 6 through 9 of the v1 walk above without operator intervention. 5. The cockpit makes at least one Forge API call on the user'''s behalf using the persisted OAuth token (proof that the token-persistence layer works; the specific call exercised in acceptance is captured at session 4 close). 6. The executable checklist rows flip Have for B-5, CC-4, A-20 through A-25; a new row is added for the SSO-gated user landing. 7. The operator runbook documents the Forge OAuth application registration step, the admin allowlist secret slot, and the temp-password delivery convention. ## Cross-links - Phase 1 tracker (closed): https://forge.ourworld.tf/lhumina_code/home/issues/235 - Forge OAuth implementation used by Phase 2: https://forge.ourworld.tf/lhumina_code/hero_proxy (oauth.rs plus oidc.rs in hero_proxy_server) - Parallel inlined implementation kept in place: https://forge.ourworld.tf/lhumina_code/hero_onboarding (forge_oauth.rs) - Email provider lock (deferred for v1, kept as a reference for the eventual A-18 follow-up): https://forge.ourworld.tf/lhumina_code/home/issues/236 - Executable checklist: lhumina_code/home/docs/channels/free/e2e_checklist.md - Narrative reference: lhumina_code/home/docs/channels/free-and-paid.md - Admin VM deployment runbook: lhumina_code/home/docs/channels/free/admin-vm-deployment-runbook.md - Forge OAuth setup runbook: lhumina_code/home/docs/channels/free/forge-oauth-setup.md - Session 160 commits (the Phase 2 starting baseline): hero_tfgrid_deployer@7036a9f (admin UI), hero_cockpit@8ef1108 (paste-token onboarding fallback). - Substrate decisions: D-22 (Forge token namespacing), D-23 (SSH custody), D-26 (self-hosted compute), D-27 (substrate await on-chain ack), D-28 (TLS at TFGrid Web Gateway), D-30 (demo target QA fallback), hero_onboarding D-18 (PKCE-S256 OAuth wire spec).
mik-tf commented 2026-05-26 15:11:02 +00:00
Author
Owner
Copy link

Session 162 closed — Phase 2 session 2 shipped

TL;DR: hero_proxy now seeds the Forge OAuth provider on boot from the operator-set secrets, persists per-IdP-identity OAuth tokens to per-user secret slots, and ships an admin allowlist module ready for s163 wiring. The session-161 standalone hero_forge_oauth crate was archived as off-pattern relative to the canonical Hero shared-library structure (3 repos: hero_lib + hero_rpc + hero_proc). OAuth implementation lives only in hero_proxy from now on; consumers receive identity via the canonical injected headers.

Commits shipped on origin/development

  • hero_proxy@3eb1b57 — extends in-place OAuth for Phase 2 + drive-by fixes for upstream breakage. 36 files changed (+1075/-354). New modules: forge_token_store.rs, admin_allowlist.rs, forge_oauth_seed.rs. Extensions to oauth.rs (token capture inside exchange_code_for_identity) and proxy.rs (callback handler spawns token persistence). 5 new integration tests + 9 new unit tests pass. Drive-by repairs two pre-existing parse/clippy failures from the 1adb9fa refactor on origin/development.
  • home@7f1e327 — operator runbook + checklist updates. forge-oauth-setup.md rewritten to reference hero_proxy's existing OAuth surface (redirect URI is /oauth/callback); runtime secret slots renamed to the per-IdP-identity key shape. e2e_checklist.md flips B-5 (cockpit URL OAuth gate) and CC-4 (single auth identity across cockpit-routed services) from Blocked to Have.

Architecture decision

D-31 locked: OAuth substrate stays in hero_proxy only; no shared OAuth library. Cockpit and deployer_admin consume identity via injected X-Hero-User + X-Hero-Claims + X-Hero-Context headers per the canonical authorization model. On-behalf-of API tokens persist in per-IdP-identity hero_proc secret slots keyed on (provider, sha256(external_id)[..16]) — never on any name field. The local-username namespace is strictly broader than the IdP namespace because of the collision-resolution suffix ladder, so name-keyed token slots would risk letting a deleted-and-recreated local user inherit a previous tenant's still-valid tokens.

Pre-merge gate

cargo fmt --check plus cargo clippy --workspace --all-targets -- -D warnings plus cargo build --workspace --release all clean. 49 of 49 hero_proxy_server library unit tests pass. 5 of 5 new phase2_oauth integration tests pass. The 6 pre-existing failures on the integration suite reproduce unchanged on origin/development; they are not regressions from this session.

Operator action queued before s164

Register the Hero Cockpit OAuth application at forge.ourworld.tf admin for hostname hcockpit.gent01.qa.grid.tf with redirect URI https://hcockpit.gent01.qa.grid.tf/oauth/callback. Push client_id and client_secret into the admin VM via hero_proc secret set --context cockpit FORGE_OAUTH_CLIENT_ID/SECRET. Set the admin allowlist via hero_proc secret set --context deployer ADMIN_FORGE_USERS "username1,username2". Full step-by-step in lhumina_code/home/docs/channels/free/forge-oauth-setup.md.

Next session

s163: cockpit drops the paste-token onboarding flow in favor of the SSO-injected identity headers. Switches downstream Forge API calls from the legacy cockpit/USER_FORGE_TOKEN slot to the new per-IdP-identity OAuth slots, with refresh-on-expiry logic inlined in cockpit. Estimated 2-3 hours. After that, s164 redeploys the admin VM with the full v1 stack and live-verifies the complete e2e walk top to bottom.

## Session 162 closed — Phase 2 session 2 shipped **TL;DR**: hero_proxy now seeds the Forge OAuth provider on boot from the operator-set secrets, persists per-IdP-identity OAuth tokens to per-user secret slots, and ships an admin allowlist module ready for s163 wiring. The session-161 standalone `hero_forge_oauth` crate was archived as off-pattern relative to the canonical Hero shared-library structure (3 repos: hero_lib + hero_rpc + hero_proc). OAuth implementation lives only in hero_proxy from now on; consumers receive identity via the canonical injected headers. ### Commits shipped on origin/development - **hero_proxy@3eb1b57** — extends in-place OAuth for Phase 2 + drive-by fixes for upstream breakage. 36 files changed (+1075/-354). New modules: `forge_token_store.rs`, `admin_allowlist.rs`, `forge_oauth_seed.rs`. Extensions to `oauth.rs` (token capture inside `exchange_code_for_identity`) and `proxy.rs` (callback handler spawns token persistence). 5 new integration tests + 9 new unit tests pass. Drive-by repairs two pre-existing parse/clippy failures from the `1adb9fa` refactor on origin/development. - **home@7f1e327** — operator runbook + checklist updates. `forge-oauth-setup.md` rewritten to reference `hero_proxy`'s existing OAuth surface (redirect URI is `/oauth/callback`); runtime secret slots renamed to the per-IdP-identity key shape. `e2e_checklist.md` flips B-5 (cockpit URL OAuth gate) and CC-4 (single auth identity across cockpit-routed services) from Blocked to Have. ### Architecture decision D-31 locked: OAuth substrate stays in `hero_proxy` only; no shared OAuth library. Cockpit and deployer_admin consume identity via injected `X-Hero-User` + `X-Hero-Claims` + `X-Hero-Context` headers per the canonical authorization model. On-behalf-of API tokens persist in per-IdP-identity hero_proc secret slots keyed on `(provider, sha256(external_id)[..16])` — never on any name field. The local-username namespace is strictly broader than the IdP namespace because of the collision-resolution suffix ladder, so name-keyed token slots would risk letting a deleted-and-recreated local user inherit a previous tenant's still-valid tokens. ### Pre-merge gate `cargo fmt --check` plus `cargo clippy --workspace --all-targets -- -D warnings` plus `cargo build --workspace --release` all clean. 49 of 49 hero_proxy_server library unit tests pass. 5 of 5 new phase2_oauth integration tests pass. The 6 pre-existing failures on the integration suite reproduce unchanged on origin/development; they are not regressions from this session. ### Operator action queued before s164 Register the Hero Cockpit OAuth application at forge.ourworld.tf admin for hostname `hcockpit.gent01.qa.grid.tf` with redirect URI `https://hcockpit.gent01.qa.grid.tf/oauth/callback`. Push `client_id` and `client_secret` into the admin VM via `hero_proc secret set --context cockpit FORGE_OAUTH_CLIENT_ID/SECRET`. Set the admin allowlist via `hero_proc secret set --context deployer ADMIN_FORGE_USERS "username1,username2"`. Full step-by-step in `lhumina_code/home/docs/channels/free/forge-oauth-setup.md`. ### Next session s163: cockpit drops the paste-token onboarding flow in favor of the SSO-injected identity headers. Switches downstream Forge API calls from the legacy `cockpit/USER_FORGE_TOKEN` slot to the new per-IdP-identity OAuth slots, with refresh-on-expiry logic inlined in cockpit. Estimated 2-3 hours. After that, s164 redeploys the admin VM with the full v1 stack and live-verifies the complete e2e walk top to bottom.
mik-tf commented 2026-05-26 17:00:53 +00:00
Author
Owner
Copy link

Session 163 complete (2026-05-26)

Phase 2 consumer side shipped. Two squash-merges on origin/development:

  • hero_proxy@1d54373inject_authenticated_identity (proxy.rs:98) now emits X-Hero-Provider + X-Hero-External-Id alongside X-Hero-User for OIDC-provisioned users. 2 new unit tests; existing strip_proxy_headers covers the new headers via x-hero-* prefix. Locked by D-32.
  • hero_cockpit@386c412 — new forge_session.rs extractor + new forge_api_client.rs on-behalf-of API client (slot read via hero_proc_sdk, refresh-on-expiry with 60s leeway, process-global tokio Mutex for refresh race, bearer_for orchestration). Root / redirect is now SSO-aware. /welcome redirects SSO users to /; POST /welcome/save-token returns HTTP 409 under SSO (closes the cross-tenant write surface flagged in Phase B.5). Drive-by clippy + fmt repairs in hero_cockpit_server mirroring the s162 pattern.

Pre-merge gate green on both repos: fmt + workspace clippy -D warnings + workspace release build + 51/51 hero_proxy_server lib + 5/5 phase2_oauth integration + 12/12 hero_cockpit_web lib tests all pass.

Decisions and limitations:

  • D-32 minted: proxy injects the 2 additional identity headers; external_id is byte-identical from the users.external_id column so it matches the SHA-256 hash forge_token_store uses on the substrate side.
  • L-10 accepted: legacy cockpit/USER_FORGE_TOKEN stays single-tenant for the headless/scripted-user fallback path; SSO users are gated out at the handler layer.

State at /stop:

  • Admin VM 0062 still on session 158 binaries; session 162 + 163 NOT yet deployed.
  • Twin 14199 mainnet 0 Created, twin 6905 baseline 40 untouched.
  • No uncommitted carry-over.

Session 164 (NEXT, ~2-3h, arc closure):

  1. Register Forge OAuth app at forge.ourworld.tf admin for hcockpit.gent01.qa.grid.tf.
  2. Populate cockpit/FORGE_OAUTH_CLIENT_ID + cockpit/FORGE_OAUTH_CLIENT_SECRET + cockpit/FORGE_OAUTH_ISSUER on admin VM 0062.
  3. Redeploy hero_proxy + hero_cockpit binaries via lab build --download --install.
  4. Add ONE minimal on-behalf-of demo surface in cockpit (recommended: "List my Forge repos" panel on cockpit landing) so B-39 is actually live-verifiable.
  5. Click through full SSO e2e walk; flip B-37 + B-38 + B-39 to live-verified.
  6. Close this issue. Phase 2 ships.

Estimated remaining: ~2-3 hours.

Signed-by: mik-tf mik-tf@noreply.invalid

## Session 163 complete (2026-05-26) Phase 2 consumer side shipped. Two squash-merges on origin/development: - **hero_proxy@1d54373** — `inject_authenticated_identity` (proxy.rs:98) now emits `X-Hero-Provider` + `X-Hero-External-Id` alongside `X-Hero-User` for OIDC-provisioned users. 2 new unit tests; existing `strip_proxy_headers` covers the new headers via `x-hero-*` prefix. Locked by D-32. - **hero_cockpit@386c412** — new `forge_session.rs` extractor + new `forge_api_client.rs` on-behalf-of API client (slot read via hero_proc_sdk, refresh-on-expiry with 60s leeway, process-global tokio Mutex for refresh race, bearer_for orchestration). Root `/` redirect is now SSO-aware. `/welcome` redirects SSO users to `/`; `POST /welcome/save-token` returns HTTP 409 under SSO (closes the cross-tenant write surface flagged in Phase B.5). Drive-by clippy + fmt repairs in hero_cockpit_server mirroring the s162 pattern. Pre-merge gate green on both repos: fmt + workspace clippy `-D warnings` + workspace release build + 51/51 hero_proxy_server lib + 5/5 phase2_oauth integration + 12/12 hero_cockpit_web lib tests all pass. **Decisions and limitations:** - D-32 minted: proxy injects the 2 additional identity headers; external_id is byte-identical from the `users.external_id` column so it matches the SHA-256 hash forge_token_store uses on the substrate side. - L-10 accepted: legacy `cockpit/USER_FORGE_TOKEN` stays single-tenant for the headless/scripted-user fallback path; SSO users are gated out at the handler layer. **State at /stop:** - Admin VM 0062 still on session 158 binaries; session 162 + 163 NOT yet deployed. - Twin 14199 mainnet 0 Created, twin 6905 baseline 40 untouched. - No uncommitted carry-over. **Session 164 (NEXT, ~2-3h, arc closure):** 1. Register Forge OAuth app at forge.ourworld.tf admin for `hcockpit.gent01.qa.grid.tf`. 2. Populate `cockpit/FORGE_OAUTH_CLIENT_ID` + `cockpit/FORGE_OAUTH_CLIENT_SECRET` + `cockpit/FORGE_OAUTH_ISSUER` on admin VM 0062. 3. Redeploy hero_proxy + hero_cockpit binaries via `lab build --download --install`. 4. Add ONE minimal on-behalf-of demo surface in cockpit (recommended: "List my Forge repos" panel on cockpit landing) so B-39 is actually live-verifiable. 5. Click through full SSO e2e walk; flip B-37 + B-38 + B-39 to live-verified. 6. Close this issue. Phase 2 ships. Estimated remaining: ~2-3 hours. Signed-by: mik-tf <mik-tf@noreply.invalid>
mik-tf commented 2026-05-26 22:21:22 +00:00
Author
Owner
Copy link

Phase 2 closure plan — clean-slate redeploy with dual-admin live-verify

Planning refresh between session 163 and session 164. The remaining work is operator-runbook + a live-verification walk. No more code to write on the substrate side.

What changed since the issue body was written

  • Old admin VM (the one running at hcockpit.gent01.qa.grid.tf on session-158 binaries) has been torn down. All old TFGrid contracts on QA twin 703 were cancelled, the dedicated QA node was unreserved and freshly re-rented under a new RentContract. A throwaway test VM was provisioned on the re-rented node to confirm the operator workstation SSH key actually lands via the deployer flow, then destroyed. Public URL is intentionally offline until session 164.
  • Dual-admin design finalized. Two admin operators (mik-tf + scott) will be in the ADMIN_FORGE_USERS allowlist AND on the admin VM's root SSH authorized_keys. This exercises the multi-admin path that the original runbook glossed over.

Session 164 plan (about 2.5 to 3 hours)

Stage 1, provision the new admin VM via the deployer flow (about 30 min). Mint a fresh Forge user, upload the first admin operator's SSH pubkey to it, then deployer.provision_vm on the re-rented QA node. SSH in with the operator key, append the second admin's pubkey to authorized_keys. The first admin's key lands via the documented flow (this proves the runbook); the second admin's key is appended manually post-provision (call out as the "second operator SSH key extension step" in the runbook).

Stage 2, install + bring up services with the session-162 and session-163 binaries (about 25 min). Standard rebuild recipe from the topology memory: scp binaries from workstation, set 9 baseline secrets, add the IPv6 hero_proxy listener, deploy the web gateway with backend on the new VM. Confirm https://hcockpit.gent01.qa.grid.tf/ returns 200.

Stage 3, register the Forge OAuth app + set Phase 2 secrets + ship one demo surface + dual-admin live-verify (about 75 to 90 min). Register the OAuth app for the callback URL, set cockpit/FORGE_OAUTH_CLIENT_ID + cockpit/FORGE_OAUTH_CLIENT_SECRET, set deployer/ADMIN_FORGE_USERS=mik-tf,scott. Restart services, confirm the forge_oauth_seed ran. Ship ONE minimal on-behalf-of API call site ("List my Forge repos" widget on the cockpit landing, about 80 LOC, one commit) so acceptance criterion 5 is actually live-verifiable. Walk the e2e flow as admin #1 in an incognito browser. Ping admin #2 to walk the same flow from his side. Per-admin token isolation gets cross-validated by counting the OAuth secret slots after both walks (6 slots expected: 3 per admin). Run a negative test with a Forge account NOT in the allowlist to confirm the 403 path fires cleanly.

Stage 4, close (about 15 min). Flip e2e_checklist rows B-37 / B-38 / B-39 to Have with both validators named in the audit-log line. Close this issue with a summary comment listing session-162 + session-163 + session-164 commit SHAs and the demo URL.

Risks not yet covered

  • OAuth callback URL is locked to the gent01.qa.grid.tf hostname; if the gateway zone changes, the OAuth app needs re-registration. Likely tracked as L-11 if it surfaces at the live walk.
  • ADMIN_FORGE_USERS mutations may require a hero_proxy restart to propagate (worth verifying at session 164 walk; if so, file follow-up issue for hot-reload).
  • The widget exercises a read on the user's behalf; a write-path on-behalf-of demo is out of scope for v1 closure but tracked as a backlog item for the post-arc session.

Acceptance criteria coverage at session 164 close

All six acceptance criteria from the issue body are addressed by the plan above. Criterion 7 (operator runbook documents the registration step + the allowlist secret + the temp-password delivery convention) gets exercised AS THE PROVISIONING PATH for the new admin VM, so the runbook ships alongside the deployment instead of being written after the fact.

Ready to execute at session 164 start.

Signed-by: mik-tf mik-tf@noreply.invalid

## Phase 2 closure plan — clean-slate redeploy with dual-admin live-verify Planning refresh between session 163 and session 164. The remaining work is operator-runbook + a live-verification walk. No more code to write on the substrate side. ### What changed since the issue body was written - Old admin VM (the one running at `hcockpit.gent01.qa.grid.tf` on session-158 binaries) has been torn down. All old TFGrid contracts on QA twin 703 were cancelled, the dedicated QA node was unreserved and freshly re-rented under a new RentContract. A throwaway test VM was provisioned on the re-rented node to confirm the operator workstation SSH key actually lands via the deployer flow, then destroyed. Public URL is intentionally offline until session 164. - Dual-admin design finalized. Two admin operators (mik-tf + scott) will be in the `ADMIN_FORGE_USERS` allowlist AND on the admin VM's root SSH authorized_keys. This exercises the multi-admin path that the original runbook glossed over. ### Session 164 plan (about 2.5 to 3 hours) **Stage 1, provision the new admin VM via the deployer flow (about 30 min).** Mint a fresh Forge user, upload the first admin operator's SSH pubkey to it, then `deployer.provision_vm` on the re-rented QA node. SSH in with the operator key, append the second admin's pubkey to authorized_keys. The first admin's key lands via the documented flow (this proves the runbook); the second admin's key is appended manually post-provision (call out as the "second operator SSH key extension step" in the runbook). **Stage 2, install + bring up services with the session-162 and session-163 binaries (about 25 min).** Standard rebuild recipe from the topology memory: scp binaries from workstation, set 9 baseline secrets, add the IPv6 hero_proxy listener, deploy the web gateway with backend on the new VM. Confirm `https://hcockpit.gent01.qa.grid.tf/` returns 200. **Stage 3, register the Forge OAuth app + set Phase 2 secrets + ship one demo surface + dual-admin live-verify (about 75 to 90 min).** Register the OAuth app for the callback URL, set `cockpit/FORGE_OAUTH_CLIENT_ID` + `cockpit/FORGE_OAUTH_CLIENT_SECRET`, set `deployer/ADMIN_FORGE_USERS=mik-tf,scott`. Restart services, confirm the `forge_oauth_seed` ran. Ship ONE minimal on-behalf-of API call site ("List my Forge repos" widget on the cockpit landing, about 80 LOC, one commit) so acceptance criterion 5 is actually live-verifiable. Walk the e2e flow as admin #1 in an incognito browser. Ping admin #2 to walk the same flow from his side. Per-admin token isolation gets cross-validated by counting the OAuth secret slots after both walks (6 slots expected: 3 per admin). Run a negative test with a Forge account NOT in the allowlist to confirm the 403 path fires cleanly. **Stage 4, close (about 15 min).** Flip e2e_checklist rows B-37 / B-38 / B-39 to Have with both validators named in the audit-log line. Close this issue with a summary comment listing session-162 + session-163 + session-164 commit SHAs and the demo URL. ### Risks not yet covered - OAuth callback URL is locked to the `gent01.qa.grid.tf` hostname; if the gateway zone changes, the OAuth app needs re-registration. Likely tracked as L-11 if it surfaces at the live walk. - `ADMIN_FORGE_USERS` mutations may require a hero_proxy restart to propagate (worth verifying at session 164 walk; if so, file follow-up issue for hot-reload). - The widget exercises a read on the user's behalf; a write-path on-behalf-of demo is out of scope for v1 closure but tracked as a backlog item for the post-arc session. ### Acceptance criteria coverage at session 164 close All six acceptance criteria from the issue body are addressed by the plan above. Criterion 7 (operator runbook documents the registration step + the allowlist secret + the temp-password delivery convention) gets exercised AS THE PROVISIONING PATH for the new admin VM, so the runbook ships alongside the deployment instead of being written after the fact. Ready to execute at session 164 start. Signed-by: mik-tf <mik-tf@noreply.invalid>
mik-tf commented 2026-05-27 00:57:16 +00:00
Author
Owner
Copy link

Phase 2 is complete. The public QA admin VM is live at https://hcockpit.gent01.qa.grid.tf/hero_cockpit/web/ and the Forge SSO flow has been verified end to end. The shipped work includes the Forge OAuth provider and per-user token persistence in hero_proxy 3eb1b57, downstream identity headers in hero_proxy 1d54373, enforced Forge admin allowlist in hero_proxy cb55f24, cockpit SSO identity consumption in hero_cockpit 386c412, the Forge identity-backed cockpit widget in hero_cockpit 38b759b, and the runbook plus checklist closure updates in home 2dd806f. Live validation: mik-tf and scott both signed in through Forge and landed in Hero Cockpit without the legacy paste-token prompt; the cockpit widget rendered after a persisted OAuth bearer call to Forge; the VM was cleaned to one valid OAuth token triple; a temporary Forge user outside deployer/ADMIN_FORGE_USERS was denied with a clean allowlist message and then deleted. Operational follow-ups were filed or updated: hero_compute#128 comment 37070 for deploy_vm name validation, hero_os_tfgrid_deployer#11 for the default image mismatch, hero_proxy#56 for the gateway listener seed row, hero_cockpit#9 for smoke-test diagnostics, and hero_codescalers#37 for the fresh-install startup failure. Closing this tracker.

Phase 2 is complete. The public QA admin VM is live at https://hcockpit.gent01.qa.grid.tf/hero_cockpit/web/ and the Forge SSO flow has been verified end to end. The shipped work includes the Forge OAuth provider and per-user token persistence in hero_proxy 3eb1b57, downstream identity headers in hero_proxy 1d54373, enforced Forge admin allowlist in hero_proxy cb55f24, cockpit SSO identity consumption in hero_cockpit 386c412, the Forge identity-backed cockpit widget in hero_cockpit 38b759b, and the runbook plus checklist closure updates in home 2dd806f. Live validation: mik-tf and scott both signed in through Forge and landed in Hero Cockpit without the legacy paste-token prompt; the cockpit widget rendered after a persisted OAuth bearer call to Forge; the VM was cleaned to one valid OAuth token triple; a temporary Forge user outside deployer/ADMIN_FORGE_USERS was denied with a clean allowlist message and then deleted. Operational follow-ups were filed or updated: hero_compute#128 comment 37070 for deploy_vm name validation, hero_os_tfgrid_deployer#11 for the default image mismatch, hero_proxy#56 for the gateway listener seed row, hero_cockpit#9 for smoke-test diagnostics, and hero_codescalers#37 for the fresh-install startup failure. Closing this tracker.
mik-tf commented 2026-05-27 02:18:00 +00:00
Author
Owner
Copy link

Clarifying the closure boundary after the live screenshot: Phase 2 is perfect for the SSO perimeter, because cockpit and deployer paths on https://hcockpit.gent01.qa.grid.tf are restricted until Forge login. It is not the final tester-ready UX yet: the post-login admin screen is still scaffold-level. Continuing that productization work in home#238, with the e2e checklist as the acceptance gate.

Clarifying the closure boundary after the live screenshot: Phase 2 is perfect for the SSO perimeter, because cockpit and deployer paths on `https://hcockpit.gent01.qa.grid.tf` are restricted until Forge login. It is not the final tester-ready UX yet: the post-login admin screen is still scaffold-level. Continuing that productization work in [home#238](https://forge.ourworld.tf/lhumina_code/home/issues/238), with the e2e checklist as the acceptance gate.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels   
meeting-notes

Meeting notes and follow-ups

  
meeting-transcript

Raw meeting transcript; AI drafts the report

No labels
meeting-notes
meeting-transcript
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#237
No description provided.