lhumina_code/hero_services
23
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

development_proxy #18

Merged
timur merged 40 commits from development_proxy into development 2026-02-20 09:01:55 +00:00
Conversation 0 Commits 40 Files changed 67 +6346 -2617
timur commented 2026-02-19 14:08:42 +00:00
Owner
Copy link
No description provided. 
- Remove admin/ module, templates/, startup.rs, and axum/askama deps
- Add rpc.rs: JSON-RPC 2.0 server over Unix socket (~/hero/var/hero_zero.sock)
- Add service_data.rs: extracted data collection logic from admin handlers
- Move build.rs out of admin/ as standalone module
- Add profile system for DAG-ordered service installation
- Add hero_proxy.toml service template
- Switch hero_osis to Unix socket binding (unix:~/hero/var/sockets/*.sock)
- Add sockets_dir to HeroPaths, socket path field to ServiceView
- Fix install.rs: always write .install oneshots (don't skip when binary exists)
- Add docs: sockets.md, proxy.md, architecture/

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runs a zinit oneshot (hero_setup) on first start that prepares the
host environment before any services are installed or started.

On Linux: creates chvm_runner user, sets capabilities on
hero_network_daemon, creates directory tree with correct ownership.
On macOS: ensures hero directories exist (lightweight dev parity).

Skipped on subsequent runs via marker file at
~/hero/var/hero_zero/.first_run_complete (removed by hero_zero clean).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded first_run_setup() with two service templates:
- hero_setup: creates runner user + directory tree (all profiles)
- hero_secure: sets ownership + Linux capabilities (admin only)

Both silently no-op on macOS. All profiles now depend on hero_setup.
Rename chvm_runner → runner in architecture docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hero_compute_manager uses chvm-lib for TAP/bridge ops directly,
making the separate hero_network_daemon redundant. hero_compute_manager
now gets CAP_NET_ADMIN via hero_secure oneshot instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update service config and architecture docs to reflect
hero_compute_manager binding to a Unix socket instead of TCP port.
hero_proxy routes /hero_compute_manager/* to the socket. Remove
references to direct TCP port exposure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add dedicated network.md covering TAP/bridge (chvm0), mycelium overlay,
VM networking lifecycle, and full request paths. Fix bridge name to chvm0
(192.168.200.0/24). Remove stale "routes tenant requests to VMs" from
hero_proxy host mode. Clarify that mycelium provides end-to-end encryption
(not host TLS). Add VM boot sequence showing mycelium daemon startup
before zinit/hero_zero.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- All service templates declare protocol type (http/redis/tcp)
- hero_proxy.toml exec passes name:protocol format CLI args
- hero_proxy.toml adds HERO_AUTH_TOKEN env var
- Update architecture docs for health checks and auth
- admin profile updates

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the binary_exists check that skipped the .install dependency
when a binary was already present. Every hero_zero run now always
adds the .install oneshot dependency, ensuring services rebuild
from latest git code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without this, Cargo.lock pins git dependencies to old commits and
cargo build never picks up new upstream changes (e.g. hero_lib
updates). Now every install runs cargo update --aggressive first.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Services running stale binaries show as Running, so they were
skipped by the old "restart failed only" logic. Now all services
are restarted after their .install oneshots complete, ensuring
they always run the freshly built binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Propagate HERO_PROXY_DNS_NAME, HERO_PROXY_ACME_EMAIL, HERO_PROXY_ACME_PROD
  from hero_zero environment to hero_proxy service template
- Generalize resolve_placeholders to loop over env var list instead of hardcoding
- Update hero_proxy.md: simplify to env-based mode selection (DNS_NAME → HTTPS)
- Update security.md: add TLS section, Linux capabilities, updated network diagram

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- hero_auth, hero_embedder, hero_forge, hero_launcher: use --bind unix:socket
- hero_aibroker: use BIND env var for unix socket
- hero_shrimp: use ADMIN_SOCKET env var, remove hardcoded API keys
- hero_proxy: only list services with Unix socket support
- config.rs: add hero_claude + hero_launcher to DEFAULT_CONFIGS
- config.rs: propagate OPENROUTER_API_KEY, GROQ_API_KEY, SAMBANOVA_API_KEY,
  TELEGRAM_TOKEN from hero_zero env to child services

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds hero_embedder, hero_forge, hero_aibroker, hero_auth, hero_shrimp,
hero_launcher, and hero_compute_manager to the core profile with proper
dependency ordering.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add stop_and_clean() to zinit.rs: stops services, clears configs, deletes
  binaries and tracking files before writing fresh configs
- Remove needs_install gate from execute_profile — always write install oneshots
- Install oneshots are self-contained shell scripts (clone + make install),
  no callback to hero_zero
- InstallationView: derive is_installed from binary existence, installed_at
  from binary mtime, version from tracking file

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hero_proxy installs and runs first in all profiles. All other install
steps have after = ["hero_proxy.run"] so the admin UI is available to
monitor the rest of the installation process.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Zinit's reload() already auto-starts newly discovered services via
try_start_service(), which respects depends_on ordering. The explicit
start loop was redundant and caused race conditions where run services
started before their install oneshots completed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hero_zero was writing depends_on in [service] section which zinit
ignores. Now writes [dependencies] requires = [...] which zinit
actually reads, fixing dependency ordering for install oneshots.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove all "Wrote X.toml", "Reloaded", "Clean slate", step count
  prints from profile execution and install/run commands
- Set zinit handle to LogLevel::Silent to suppress reload messages
- Demote RPC server log to debug level
- Add spinner animation while waiting for admin UI port to come up
- Display Socket/Admin/Stop info block after launch completes
- RPC server runs in background tokio task, process blocks forever

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hero_zero no longer spawns zinit-server — it just connects and fails
with a clear message if zinit isn't reachable. Also removes the
install_zinit() cargo install helper and the RPC log line.

Banner updated: "Hero Service Bootstrap"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Keep hero_zero starting zinit-server itself — more defensive than
requiring it externally. All verbose log lines remain silenced.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New standalone UI services that serve frontend HTML through hero_proxy.
Updated proxy exec args to include both UI services.
Added install/run steps to core and full profiles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The service template files existed but weren't included in the
embedded config array, so hero_zero didn't know about them.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add health_state, test_state, install_state, install_detail, run_state to ServiceView
- Add oneshot_state() helper for unified lifecycle state mapping
- Add Action::Health and Action::Test to profile system
- Add write_health_config_with_deps() for health check oneshots
- Update profiles (core, admin, full) with health/test steps
- Update architecture docs with prompts and notes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- run/dev Makefile targets now build debug and run with --profile core
- Fix hero_aibroker binary name to 'aibroker' and branch to development_wasmos
- Fix git fetch to specify branch explicitly (avoids fetch errors on shallow clones)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Split forgejo into two services: forgejo (HTTP server) and forgejo_mcp (MCP server)
- Fix forgejo exec to use forgejo_server binary name
- Add forgejo_mcp.toml service template (port 3395)
- Register forgejo_mcp in DEFAULT_CONFIGS
- Make forgejo_mcp.install depend on forgejo.install to prevent concurrent git operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GITEA_WORK_DIR must point to the source checkout where templates/
and public/ directories exist (build without bindata tag).
GITEA_CUSTOM points to ~/hero/var/forgejo/custom where app.ini lives.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Forgejo needs the /forgejo prefix preserved when proxying since it
serves HTML with subpath-aware asset URLs (ROOT_URL includes /forgejo/).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Local path dependencies break CI and other developers' builds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch forgejo_mcp to unix socket binding (forgejo_mcp.sock)
- Register forgejo_mcp:http in hero_proxy service list
- Remove TCP port 3395 (now accessed via /forgejo_mcp/ proxy path)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The ports field made the admin UI display :3393 instead of /forgejo/.
Forgejo still binds to port 3393 via exec args (needed for forgejo_mcp),
but the proxy path /forgejo/ is now shown as the canonical endpoint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Same pattern as forgejo fix - removing ports metadata so admin UI
displays /my_router_path/ proxy URL instead of :2918.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Stop/restart now manage full service lifecycle (oneshots + stopping state)
Some checks failed
Build and Test / build (pull_request) Failing after 4m17s
Details
52aa75e498
 
- service_stop: also stops health/test oneshots
- service_restart: also restarts install/health/test oneshots so the full
  lifecycle re-runs through zinit's dependency chain
- Map zinit "stopping" to distinct "stopping" run_state (was collapsed into "stopped")

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
change branch
Some checks failed
Build and Test / build (pull_request) Failing after 8m13s
Details
efd30c7cdc
feat: add hero_books to core profile and fix embedder URL
Some checks failed
Build and Test / build (pull_request) Has been cancelled
Details
d19e285dd1
 
hero_embedder binds to a unix socket, so hero_books must reach it
through hero_proxy. Also adds hero_books install/run/health steps
to the core profile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
merge: integrate development branch (herolib_os version bump)
Some checks failed
Build and Test / build (pull_request) Failing after 4m39s
Details
6929feb7c5
 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
timur merged commit eb2c167736 into development 2026-02-20 09:01:55 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_services!18
No description provided.