Hero sandbox demo (go-to-production): cover the meeting demo, deployed from main

mik-tf commented

2026-06-03 16:35:20 +00:00

Owner

Goal

Make the Hero OS sandbox cover the go-to-production demo, deployed from
the stable main branch on the dedicated node. Source of truth for scope
is the meeting:
kristof_ahmed_go2production.md.

The demo: a user provisions a VM on the grid, gets cockpit access, and
runs the agent (kimi rust, exposed as web with MCP tools to whiteboard
and planner) to drive Planner plus Whiteboard/Slides artifacts, with
voice. Nothing beyond this is in scope (no books / grounded search /
memory for this demo).

How releases work

Per-branch rolling release: a push to main publishes the latest
release, a push to development publishes the dev release. The sandbox
install downloads latest, so once a component publishes from main the
install tracks main. Moving a component to main = (1) rolling workflow
on main + CI green so latest is from main, (2) the small stable-library
migration if it still uses the old service API, (3) set default branch to
main.

Demo components → repo → status

Demo capability	repo	status	remaining
Cockpit (landing + deploy UI)	hero_cockpit	DONE	—
Grid deploy + VM provisioning	hero_os_tfgrid_deployer	DONE	—
Base: router / entry	hero_router	DONE	—
Base: proxy / gateway	hero_proxy	DONE	—
Base: supervisor	hero_proc	default=main	confirm `latest` is from current main (add rolling if stale)
Planner	hero_planner	publishing	rolling workflow pushed, CI building -> then default=main
Slides	hero_slides	publishing	rolling workflow pushed, CI building -> then default=main
Whiteboard	hero_whiteboard	near	rolling already adopted; flip default=main + confirm latest-from-main
Agent (kimi rust, web + MCP)	hero_kimi_rust	near	rolling already adopted; flip default=main + confirm latest-from-main
Voice widget	hero_voice	to-do	migrate to stable libs + publish from main
Voice engine	hero_voice_provider	to-do	rolling workflow (gnu) + publish from main
Provisioner daemon	hero_compute	to-do	migrate to stable libs; admin VM keeps its current build for the MVP, migrate later

Plan (MVP first)

Phase 1 — minimal-demo components publish from main (publish-only): hero_router (done), hero_planner, hero_slides (CI building). (in progress)
Phase 2 — live MVP on the dedicated node: admin VM (deployer + cockpit + proxy + proc + router + compute[current build]) + one tester; walk green: gateway -> cockpit -> whiteboard + planner + slides + grid provisioning. First live milestone; rent reused.
Phase 3 — agent + voice: flip hero_kimi_rust + hero_whiteboard default=main; publish hero_voice_provider; migrate hero_voice. Completes the meeting demo (agent -> planner/whiteboard, by voice).
Phase 4 — cut over: retire the old development-era testers, rotate tester tokens, update the deployment runbook.

Boundary

The deployment components (deployer, cockpit) are ours and done. While the
team is offline we are also doing the publish-switch and the small library
migrations on the demo components above; each is a CI-file or the same
migration already done on proxy / router / proc / cockpit, recorded here.
This tracker is scoped to the meeting demo only; org-wide migration of the
~70 other lhumina_code repos is out of scope here.

## Goal Make the Hero OS sandbox cover the go-to-production demo, deployed from the stable `main` branch on the dedicated node. Source of truth for scope is the meeting: [kristof_ahmed_go2production.md](https://forge.ourworld.tf/lhumina_code/home/src/branch/development/meetings/kristof_ahmed_go2production.md). The demo: a user provisions a VM on the grid, gets cockpit access, and runs the agent (kimi rust, exposed as web with MCP tools to whiteboard and planner) to drive Planner plus Whiteboard/Slides artifacts, with voice. Nothing beyond this is in scope (no books / grounded search / memory for this demo). ## How releases work Per-branch rolling release: a push to `main` publishes the `latest` release, a push to `development` publishes the `dev` release. The sandbox install downloads `latest`, so once a component publishes from `main` the install tracks `main`. Moving a component to main = (1) rolling workflow on main + CI green so `latest` is from main, (2) the small stable-library migration if it still uses the old service API, (3) set default branch to `main`. ## Demo components → repo → status | Demo capability | repo | status | remaining | |---|---|---|---| | Cockpit (landing + deploy UI) | hero_cockpit | DONE | — | | Grid deploy + VM provisioning | hero_os_tfgrid_deployer | DONE | — | | Base: router / entry | hero_router | DONE | — | | Base: proxy / gateway | hero_proxy | DONE | — | | Base: supervisor | hero_proc | default=main | confirm `latest` is from current main (add rolling if stale) | | Planner | hero_planner | publishing | rolling workflow pushed, CI building -> then default=main | | Slides | hero_slides | publishing | rolling workflow pushed, CI building -> then default=main | | Whiteboard | hero_whiteboard | near | rolling already adopted; flip default=main + confirm latest-from-main | | Agent (kimi rust, web + MCP) | hero_kimi_rust | near | rolling already adopted; flip default=main + confirm latest-from-main | | Voice widget | hero_voice | to-do | migrate to stable libs + publish from main | | Voice engine | hero_voice_provider | to-do | rolling workflow (gnu) + publish from main | | Provisioner daemon | hero_compute | to-do | migrate to stable libs; admin VM keeps its current build for the MVP, migrate later | ## Plan (MVP first) - **Phase 1 — minimal-demo components publish from `main`** (publish-only): `hero_router` (done), `hero_planner`, `hero_slides` (CI building). *(in progress)* - **Phase 2 — live MVP on the dedicated node**: admin VM (deployer + cockpit + proxy + proc + router + compute[current build]) + one tester; walk green: gateway -> cockpit -> whiteboard + planner + slides + grid provisioning. First live milestone; rent reused. - **Phase 3 — agent + voice**: flip `hero_kimi_rust` + `hero_whiteboard` default=main; publish `hero_voice_provider`; migrate `hero_voice`. Completes the meeting demo (agent -> planner/whiteboard, by voice). - **Phase 4 — cut over**: retire the old development-era testers, rotate tester tokens, update the deployment runbook. ## Boundary The deployment components (deployer, cockpit) are ours and done. While the team is offline we are also doing the publish-switch and the small library migrations on the demo components above; each is a CI-file or the same migration already done on proxy / router / proc / cockpit, recorded here. This tracker is scoped to the meeting demo only; org-wide migration of the ~70 other lhumina_code repos is out of scope here.

mik-tf commented

2026-06-03 17:18:55 +00:00

Author

Owner

Status update from the deployment side.

Done:

hero_os_tfgrid_deployer is on main (now the default branch) and on development. The tester install script (setup-binaries.sh) is now embedded inside the deployer binary and copied to each tester at install time, so the deployer no longer fetches it from a separate repo. Its shared-library dependencies point at the stable main branches (no pinning workarounds needed), and it uses the per-branch rolling release workflow (push to main publishes the latest release, push to development publishes the dev release). Local gate is green (fmt, clippy with warnings denied, release build, 84 tests, --info). CI is publishing the latest release from main.
hero_demo is on main and set as default (note: this repo now lives under lhumina_research, not lhumina_code).

Blocked (needs a maintainer of hero_proxy):

hero_cockpit is fully converted and staged but cannot build on main yet. hero_proxy main pins its hero_rpc_derive, hero_rpc_openrpc, hero_lifecycle, and herolib_core dependencies at the development branch. The current hero_rpc refactor has removed hero_rpc_derive from development, so hero_proxy main no longer resolves, and anything that depends on it (the cockpit server) cannot build. hero_cockpit goes to main the moment hero_proxy main points those dependencies at the stable branches.

This is the general pattern we are tracking: each shared library main needs its own dependencies pointed at the stable branches, not just the leaf apps.

Status update from the deployment side. Done: - hero_os_tfgrid_deployer is on main (now the default branch) and on development. The tester install script (setup-binaries.sh) is now embedded inside the deployer binary and copied to each tester at install time, so the deployer no longer fetches it from a separate repo. Its shared-library dependencies point at the stable main branches (no pinning workarounds needed), and it uses the per-branch rolling release workflow (push to main publishes the latest release, push to development publishes the dev release). Local gate is green (fmt, clippy with warnings denied, release build, 84 tests, --info). CI is publishing the latest release from main. - hero_demo is on main and set as default (note: this repo now lives under lhumina_research, not lhumina_code). Blocked (needs a maintainer of hero_proxy): - hero_cockpit is fully converted and staged but cannot build on main yet. hero_proxy main pins its hero_rpc_derive, hero_rpc_openrpc, hero_lifecycle, and herolib_core dependencies at the development branch. The current hero_rpc refactor has removed hero_rpc_derive from development, so hero_proxy main no longer resolves, and anything that depends on it (the cockpit server) cannot build. hero_cockpit goes to main the moment hero_proxy main points those dependencies at the stable branches. This is the general pattern we are tracking: each shared library main needs its own dependencies pointed at the stable branches, not just the leaf apps.

mik-tf commented

2026-06-03 19:20:54 +00:00

Author

Owner

Update: the three deployment-side repos are now on main.

hero_os_tfgrid_deployer: on main (default), latest release published from main, install script embedded in the binary (no external repo dependency).
hero_demo: on main (default).
hero_cockpit: on main (default). Unblocked by the hero_proxy main dependency fix, then migrated to the relocated hero_lib API (service-lifecycle helpers now in hero_lifecycle::base; path helpers renamed to path_cfg_dir / path_var_dir / path_bin_dir). CI is publishing its latest release from main now.

Thanks to the hero_proxy maintainer for pointing its main dependencies at the stable branches, which unblocked the cockpit.

Still outstanding for the whole sandbox to deploy purely from main (maintainer-owned, tracked above): the app and engine repos still default to development, and hero_embedder_provider still has no release. Each app repo will likely need the same small hero_lifecycle migration the cockpit just did.

Update: the three deployment-side repos are now on main. - hero_os_tfgrid_deployer: on main (default), latest release published from main, install script embedded in the binary (no external repo dependency). - hero_demo: on main (default). - hero_cockpit: on main (default). Unblocked by the hero_proxy main dependency fix, then migrated to the relocated hero_lib API (service-lifecycle helpers now in hero_lifecycle::base; path helpers renamed to path_cfg_dir / path_var_dir / path_bin_dir). CI is publishing its latest release from main now. Thanks to the hero_proxy maintainer for pointing its main dependencies at the stable branches, which unblocked the cockpit. Still outstanding for the whole sandbox to deploy purely from main (maintainer-owned, tracked above): the app and engine repos still default to development, and hero_embedder_provider still has no release. Each app repo will likely need the same small hero_lifecycle migration the cockpit just did.

mik-tf changed title from ~~Hero sandbox demo: move deployment to the main branch~~ to Hero sandbox demo (go-to-production): cover the meeting demo, deployed from main

2026-06-03 20:23:27 +00:00

mik-tf commented

2026-06-03 22:04:19 +00:00

Author

Owner

Phase 2 done: live MVP bring-up from main on the dedicated node.

A fresh tester was provisioned on the rented node and installed the demo base bundle from the latest (main) releases, reaching install state ready. The base bundle is now scoped to the demo apps (cockpit, planner, slides, whiteboard, agent, voice) on top of the always-on base (proxy, router, supervisor, the per-tester data store, orchestrator). Content libraries, the knowledge store, and business records were dropped from the default install and are install-on-demand instead. The data store (hero_db) was added to the base because slides persists to it, and without it slides could fail its first boot.

All demo apps serve on the tester and route through the public gateway behind the Forge login gate (landing 200; cockpit, planner, slides, whiteboard all redirect to login as expected). Provisioning and the gateway path are healthy (the earlier contract-cancel 502 was delete-only, not the forward path). The deployer change is on main and republishing latest; the deployment runbook demo-app scope was updated to match.

Next: Phase 3 (agent kimi_rust + voice from main), then Phase 4 cutover.

Phase 2 done: live MVP bring-up from main on the dedicated node. A fresh tester was provisioned on the rented node and installed the demo base bundle from the latest (main) releases, reaching install state ready. The base bundle is now scoped to the demo apps (cockpit, planner, slides, whiteboard, agent, voice) on top of the always-on base (proxy, router, supervisor, the per-tester data store, orchestrator). Content libraries, the knowledge store, and business records were dropped from the default install and are install-on-demand instead. The data store (hero_db) was added to the base because slides persists to it, and without it slides could fail its first boot. All demo apps serve on the tester and route through the public gateway behind the Forge login gate (landing 200; cockpit, planner, slides, whiteboard all redirect to login as expected). Provisioning and the gateway path are healthy (the earlier contract-cancel 502 was delete-only, not the forward path). The deployer change is on main and republishing latest; the deployment runbook demo-app scope was updated to match. Next: Phase 3 (agent kimi_rust + voice from main), then Phase 4 cutover.

mik-tf referenced this issue

2026-06-03 22:37:23 +00:00

Full Hero stack demo tester (alicefull) from main #246

mik-tf commented

2026-06-03 22:52:34 +00:00

Author

Owner

Demo tester is live and the old testers are cleaned up.

alicelight (the meeting demo) is provisioned from main on the dedicated node and installs the base bundle to ready: cockpit, planner, slides, whiteboard, voice all serve and route through the public gateway behind the Forge login at https://alicelight.gent01.qa.grid.tf. It has a working login account.

All earlier development-era testers (alice123, alice124, alice125, ruy, and a couple of throwaways) were decommissioned and their user records removed, so the only tester now is alicelight. Deleting VMs works again (the earlier teardown failures have cleared); back-to-back contract cancellations need a compute-daemon restart between each, tracked separately.

The full-stack demo tester (books, memory, grounded search) is tracked as alicefull in #246, gated on those apps publishing from main.

Demo tester is live and the old testers are cleaned up. alicelight (the meeting demo) is provisioned from main on the dedicated node and installs the base bundle to ready: cockpit, planner, slides, whiteboard, voice all serve and route through the public gateway behind the Forge login at https://alicelight.gent01.qa.grid.tf. It has a working login account. All earlier development-era testers (alice123, alice124, alice125, ruy, and a couple of throwaways) were decommissioned and their user records removed, so the only tester now is alicelight. Deleting VMs works again (the earlier teardown failures have cleared); back-to-back contract cancellations need a compute-daemon restart between each, tracked separately. The full-stack demo tester (books, memory, grounded search) is tracked as alicefull in https://forge.ourworld.tf/lhumina_code/home/issues/246, gated on those apps publishing from main.

~~mik-tf referenced this issue 2026-06-03 23:37:40 +00:00~~

Simplify tester onboarding: reuse existing Forge users, drop tester SSH keys, clearer access errors #247

mik-tf commented

2026-06-04 14:18:43 +00:00

Author

Owner

State update: the last two base components are now on the stable branch. The gateway WebSocket forwarding fix (so the assistant chat connects on a tester domain) and the assistant's four deploy fixes (web address form, provider key read from the environment, prefix-correct asset paths, and its setup files embedded in the binary) are merged to main and CI is republishing the stable release. These were proven on the live tester using locally built fast-path binaries; the remaining step to call this done is to provision one brand-new tester from the stable release and confirm it comes up working with no manual fixes: the assistant opens, is styled, and chats; planner, slides, and whiteboard serve; and voice loads.

mik-tf referenced this issue

2026-06-04 14:18:44 +00:00

[META] Hero OS sandbox demo, functional readiness: onboarding pipeline + per-app verification #239

mik-tf referenced this issue

2026-06-05 16:33:14 +00:00

Sandbox admin panel: confirm updates land from main, manage access and keys, and let a tester invite a co-user #256