feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it #71

Merged

sameh-farouk merged 1 commit from development_sameh into development 2026-06-03 16:58:59 +00:00

Conversation 0 Commits 1 Files changed 2 +19

sameh-farouk commented 2026-06-03 16:58:58 +00:00

Member

Copy link

Problem

COLLAB_AUTH_MODE=dev lab service hero_collab --start was silently ignored — collab still came up in proxy mode, and every browser RPC failed with "Authentication required".

Root cause

lab only forwards env vars that a binary declares in its service.toml [[env]] (it iterates info.env, applying each declared var's default and letting the shell override it — service_manager.rs:~2300). hero_proc spawns children with a clean env, so an undeclared var never reaches the process. collab declared no auth env → the shell COLLAB_AUTH_MODE=dev was dropped → server used its proxy default.

Fix

Declare COLLAB_AUTH_MODE (default proxy) on both the server and web (admin) actions. This makes lab forward an operator override:

• bare lab service hero_collab --start → proxy (production-safe; unchanged compiled/CLI default)
• COLLAB_AUTH_MODE=dev lab service hero_collab --start → dev

No insecure default committed — proxy stays the default everywhere.

Verification

With the declaration, COLLAB_AUTH_MODE=dev lab service hero_collab --start brings both binaries up with COLLAB_AUTH_MODE=dev under hero_proc; channel.list/huddle.list return 200 through hero_router (were "Authentication required"). Both jobs stay running attempt=0 (with the #69 health-check fix).

Present identically on main — will cherry-pick after merge.

## Problem `COLLAB_AUTH_MODE=dev lab service hero_collab --start` was silently ignored — collab still came up in `proxy` mode, and every browser RPC failed with "Authentication required". ## Root cause `lab` only forwards env vars that a binary **declares** in its `service.toml [[env]]` (it iterates `info.env`, applying each declared var's default and letting the shell override it — `service_manager.rs:~2300`). hero_proc spawns children with a clean env, so an *undeclared* var never reaches the process. collab declared no auth env → the shell `COLLAB_AUTH_MODE=dev` was dropped → server used its `proxy` default. ## Fix Declare `COLLAB_AUTH_MODE` (default `proxy`) on both the server and web (admin) actions. This makes lab forward an operator override: - bare `lab service hero_collab --start` → **proxy** (production-safe; unchanged compiled/CLI default) - `COLLAB_AUTH_MODE=dev lab service hero_collab --start` → **dev** No insecure default committed — `proxy` stays the default everywhere. ## Verification With the declaration, `COLLAB_AUTH_MODE=dev lab service hero_collab --start` brings both binaries up with `COLLAB_AUTH_MODE=dev` under hero_proc; `channel.list`/`huddle.list` return 200 through hero_router (were "Authentication required"). Both jobs stay `running attempt=0` (with the #69 health-check fix). Present identically on `main` — will cherry-pick after merge.

sameh-farouk added 1 commit 2026-06-03 16:58:58 +00:00

feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it ... 328019c163

`lab` only forwards env vars a binary declares in its `service.toml
[[env]]` block (it iterates `info.env`, then lets the operator's shell
override each declared var's default). hero_proc spawns children with a
clean env, so an undeclared var never reaches the process.

collab declared no auth env, so `COLLAB_AUTH_MODE=dev lab service
hero_collab --start` silently dropped the override and the server came
up in `proxy` mode — every browser RPC then failed with
"Authentication required".

Declare COLLAB_AUTH_MODE on both the server and web (admin) actions
with `default = "proxy"`:
  - bare `lab service hero_collab --start` → proxy (production-safe,
    unchanged from the compiled binary default)
  - `COLLAB_AUTH_MODE=dev lab service hero_collab --start` → dev
    (shell override now reaches the child)

No insecure default is committed; the compiled binary default and the
`hero_collab` CLI default both remain `proxy`.

Verified: with the declaration, the server + web come up with
COLLAB_AUTH_MODE=dev under hero_proc supervision; channel.list/huddle.list
return 200 through hero_router instead of "Authentication required".

sameh-farouk merged commit d284983510 into development 2026-06-03 16:58:59 +00:00

sameh-farouk deleted branch development_sameh 2026-06-03 16:58:59 +00:00

sameh-farouk referenced this pull request from a commit 2026-06-03 16:59:00 +00:00

feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it (#71)

sameh-farouk referenced this pull request 2026-06-03 16:59:43 +00:00

feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it (cherry-pick) #72

sameh-farouk referenced this pull request from a commit 2026-06-03 16:59:44 +00:00

feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it (#71)

sameh-farouk referenced this pull request from a commit 2026-06-03 16:59:44 +00:00

feat(service): declare COLLAB_AUTH_MODE in service.toml so lab can forward it (#72)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_collab!71

No description provided.