lhumina_research/hero_executor
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
execute functionality on behalf of our hero ecosystem
2 commits 1 branch 0 tags 47 KiB
Find a file
Exact
kristof de spiegeleer 2fd929b507 init
2025-12-28 16:03:50 +01:00
specs init 2025-12-28 16:03:50 +01:00
.gitignore Initial commit 2025-12-28 11:29:21 +00:00
LICENSE Initial commit 2025-12-28 11:29:21 +00:00
README.md init 2025-12-28 16:03:50 +01:00

README.md

hero_executor

hero_executor is the secure execution runtime of the HERO ecosystem.

It exposes multiple protocol interfaces (OpenRPC, REST, MCP) and executes agents, tools, and tasks on behalf of authenticated principals using HTTP Signatures.

It is protocol-agnostic at its core, identity-aware by design, and intended to run as the trusted control plane in a sovereign HERO deployment.

Purpose

hero_executor exists to answer one question:

“Who is allowed to execute what, and how?”

It provides:

  • A single execution surface for all HERO components
  • Strong request authentication using HTTP Signatures
  • A pluggable interface layer (REST, OpenRPC, MCP)
  • A deterministic execution pipeline backed by policy

It does not contain business logic. It executes and orchestrates it.

Responsibilities

hero_executor is responsible for:

  • Verifying caller identity (HTTP Sig)
  • Normalizing requests across protocols
  • Enforcing execution policy
  • Dispatching execution to hero_agent and other components
  • Returning signed, structured responses

It is not responsible for:

  • Long-term state storage
  • Model inference
  • UI or frontend concerns

Architecture

┌────────────────────┐
│    Client / Agent  │
│ (REST / OpenRPC /  │
│        MCP)        │
└─────────┬──────────┘
          │
          ▼
┌────────────────────────────┐
│        Axum Router         │   ← protocol adapters
├────────────────────────────┤
│        Tower Layers        │
│  - HTTP Signature Auth    │
│  - Identity Context       │
│  - Rate / Policy Hooks    │
├────────────────────────────┤
│        Core Dispatcher    │
│  - Request normalization │
│  - Capability resolution │
│  - Execution routing     │
├────────────────────────────┤
│     Execution Targets     │
│  - hero_agent             │
│  - hero_* components      │
└────────────────────────────┘

Interfaces

hero_executor supports multiple frontends over a single execution core:

REST

  • Human-friendly
  • Tooling and integration use
  • JSON over HTTP

OpenRPC

  • Typed, discoverable API surface
  • Machine-to-machine execution
  • Used by agents and SDKs

MCP

  • Model Context Protocol support
  • Enables tool calling from LLM runtimes
  • Maps MCP calls → execution intents

All interfaces converge into the same dispatcher.

Authentication & Identity

All execution requests are authenticated using HTTP Signatures.

  • Requests are signed by the caller
  • Signatures are verified at the Tower layer
  • Identity context is injected into the request lifecycle

This enables:

  • Strong non-repudiation
  • No shared secrets
  • Agent-to-agent trust
  • Offline key management

Execution Model

Execution is intent-based, not endpoint-based.

  1. Request arrives (REST / OpenRPC / MCP)
  2. Identity is verified
  3. Request is normalized into an execution intent
  4. Policy is applied
  5. Intent is dispatched to the appropriate executor
  6. Result is returned in protocol-specific form

Design Principles

  • Protocol-agnostic core
  • Explicit identity
  • Minimal surface area
  • Composable Tower layers
  • No hidden execution paths

Relation to Other HERO Components

  • hero_executor executes
  • hero_agent reasons and acts
  • hero_redis stores ephemeral state
  • hero_* provide capabilities

hero_executor is the spine that binds them.