docs(hero_proxy_admin_api): add skill; document proxy.* reserved namespace #211

Merged

lee merged 1 commit from development_lee_proxy_admin_api into development 2026-05-05 13:38:38 +00:00

Conversation 0 Commits 1 Files changed 2 +393 -12

lee commented 2026-05-05 13:38:14 +00:00

Member

Copy link

New sibling skill hero_proxy_admin_api for backend authors building
admin panels (hero_collab, hero_whiteboard, future apps) that need to
manage users/groups/roles/claims through the proxy:

• Caller model: cookie-authenticated session for admin panels (per-method
  authz), bearer token for operators (bypasses authz), UDS for trusted
  local processes.
• The proxy.* capability namespace and the per-method claim map.
• The seeded admin role + group; how is_admin=true users inherit the
  full proxy.* set by composition (no special-casing).
• Reserved-name guards on the seeded admin group/role (no recreate,
  rename, or delete at runtime).
• Audit identity (real admin's username vs. operator "system").
• Impersonation contract: auth.impersonate / auth.stop_impersonating,
  cookie overlay, X-Hero-Impersonator header, real-admin authz on
  management calls so the admin can always stop impersonating.
• Browser-side fetch example, do/don't list for backend authors.

hero_claim_format updated to add proxy.* to the reserved-prefix
table, the validator reference, and the valid/invalid examples.
Also updates related: [...] to cross-link the new skill.

New sibling skill `hero_proxy_admin_api` for backend authors building admin panels (hero_collab, hero_whiteboard, future apps) that need to manage users/groups/roles/claims through the proxy: - Caller model: cookie-authenticated session for admin panels (per-method authz), bearer token for operators (bypasses authz), UDS for trusted local processes. - The `proxy.*` capability namespace and the per-method claim map. - The seeded admin role + group; how is_admin=true users inherit the full proxy.* set by composition (no special-casing). - Reserved-name guards on the seeded admin group/role (no recreate, rename, or delete at runtime). - Audit identity (real admin's username vs. operator "system"). - Impersonation contract: auth.impersonate / auth.stop_impersonating, cookie overlay, X-Hero-Impersonator header, real-admin authz on management calls so the admin can always stop impersonating. - Browser-side fetch example, do/don't list for backend authors. `hero_claim_format` updated to add `proxy.*` to the reserved-prefix table, the validator reference, and the valid/invalid examples. Also updates `related: [...]` to cross-link the new skill.

lee added 1 commit 2026-05-05 13:38:14 +00:00

docs(hero_proxy_admin_api): add skill; document proxy.* reserved namespace ... 82a21649d0

New sibling skill `hero_proxy_admin_api` for backend authors building
admin panels (hero_collab, hero_whiteboard, future apps) that need to
manage users/groups/roles/claims through the proxy:

  - Caller model: cookie-authenticated session for admin panels (per-method
    authz), bearer token for operators (bypasses authz), UDS for trusted
    local processes.
  - The `proxy.*` capability namespace and the per-method claim map.
  - The seeded admin role + group; how is_admin=true users inherit the
    full proxy.* set by composition (no special-casing).
  - Reserved-name guards on the seeded admin group/role (no recreate,
    rename, or delete at runtime).
  - Audit identity (real admin's username vs. operator "system").
  - Impersonation contract: auth.impersonate / auth.stop_impersonating,
    cookie overlay, X-Hero-Impersonator header, real-admin authz on
    management calls so the admin can always stop impersonating.
  - Browser-side fetch example, do/don't list for backend authors.

`hero_claim_format` updated to add `proxy.*` to the reserved-prefix
table, the validator reference, and the valid/invalid examples.
Also updates `related: [...]` to cross-link the new skill.

lee merged commit 4a3f0a7c70 into development 2026-05-05 13:38:38 +00:00

lee referenced this pull request from a commit 2026-05-05 13:38:39 +00:00

Merge pull request 'docs(hero_proxy_admin_api): add skill; document proxy.* reserved namespace' (#211) from development_lee_proxy_admin_api into development

lee deleted branch development_lee_proxy_admin_api 2026-05-05 13:38:42 +00:00

mik-tf referenced this pull request 2026-05-19 22:52:27 +00:00

lab build fails on nested workspaces — cargo CWD should be the bin's workspace_root, not the outer repo_root #270

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_skills!211

No description provided.