lhumina_code/hero_compute
20
0
Fork 0
Code Issues 14 Pull requests 3 Projects Releases 7 Packages Wiki Activity Actions

chore: Remove HERO_COMPUTE_BRIDGE_TOKEN from TCP bridge #59

New issue
Closed
opened 2026-04-05 12:37:55 +00:00 by mahmoud · 5 comments
mahmoud commented 2026-04-05 12:37:55 +00:00
Owner
Copy link

Summary

The TCP bridge in hero_compute_explorer has an optional HERO_COMPUTE_BRIDGE_TOKEN auth mechanism that should be removed.

Why remove it

  • Optional — if not set, the bridge is wide open with just a log warning
  • Shared password — one token for the entire cluster, no per-node identity
  • No identity — even with the token, there's no way to know which node is connecting
  • False sense of security — gives the appearance of auth without real protection
  • Plaintext — token sent as AUTH <token>\n in plain text over TCP

Proper node identity and authorization should be handled separately (see #57 discussion). Until then, this half-measure adds complexity without real value.

What to remove

  • HERO_COMPUTE_BRIDGE_TOKEN env var reading in tcp_bridge() (crates/hero_compute_explorer/src/main.rs)
  • The AUTH <token>\n handshake logic in the TCP bridge
  • The auth warning log line
  • Any references in docs or configuration

The TCP bridge should just accept connections and proxy bytes directly (it already does this when the token is unset).

## Summary The TCP bridge in `hero_compute_explorer` has an optional `HERO_COMPUTE_BRIDGE_TOKEN` auth mechanism that should be removed. ## Why remove it - **Optional** — if not set, the bridge is wide open with just a log warning - **Shared password** — one token for the entire cluster, no per-node identity - **No identity** — even with the token, there's no way to know *which* node is connecting - **False sense of security** — gives the appearance of auth without real protection - **Plaintext** — token sent as `AUTH <token>\n` in plain text over TCP Proper node identity and authorization should be handled separately (see #57 discussion). Until then, this half-measure adds complexity without real value. ## What to remove - `HERO_COMPUTE_BRIDGE_TOKEN` env var reading in `tcp_bridge()` (`crates/hero_compute_explorer/src/main.rs`) - The `AUTH <token>\n` handshake logic in the TCP bridge - The auth warning log line - Any references in docs or configuration The TCP bridge should just accept connections and proxy bytes directly (it already does this when the token is unset).
mahmoud self-assigned this 2026-04-06 08:45:18 +00:00
mahmoud added this to the ACTIVE project 2026-04-06 08:45:20 +00:00
mahmoud added this to the now milestone 2026-04-06 08:45:23 +00:00
mahmoud commented 2026-04-06 09:20:31 +00:00
Author
Owner
Copy link

Implementation Spec for Issue #59

Objective

Remove the optional HERO_COMPUTE_BRIDGE_TOKEN authentication mechanism from the tcp_bridge function in hero_compute_explorer, simplifying the bridge to accept connections and proxy bytes directly.

Requirements

  • Remove the HERO_COMPUTE_BRIDGE_TOKEN environment variable read from tcp_bridge()
  • Remove the AUTH <token>\n handshake logic
  • Remove the auth warning log line emitted when the token is unset
  • Remove the bridge_token / token variables and now-unnecessary imports (AsyncBufReadExt, AsyncWriteExt, BufReader)
  • Update the doc comment on tcp_bridge to remove the "optionally requires auth token" clause
  • Remove the HERO_COMPUTE_BRIDGE_TOKEN row from docs/configuration.md
  • Ensure no other files reference HERO_COMPUTE_BRIDGE_TOKEN

Files to Modify

File Change
crates/hero_compute_explorer/src/main.rs Remove token env var read, auth handshake block, warning log, unused imports, update doc comment
docs/configuration.md Remove the HERO_COMPUTE_BRIDGE_TOKEN row from the env vars table

Implementation Plan

Step 1: Simplify tcp_bridge in hero_compute_explorer/src/main.rs

  • Update doc comment (remove auth token mention)
  • Delete env var read + warning log (4 lines)
  • Delete let token = bridge_token.clone(); from per-connection clone block
  • Delete entire auth-check block (~24 lines)
  • Clean up any unused imports

Step 2: Update docs/configuration.md

  • Remove the HERO_COMPUTE_BRIDGE_TOKEN row from the environment variables table

Acceptance Criteria

  • HERO_COMPUTE_BRIDGE_TOKEN does not appear anywhere in the codebase
  • AUTH_FAILED does not appear in hero_compute_explorer/src/main.rs
  • The tcp_bridge function accepts TCP connections and immediately proxies bytes (no handshake)
  • Connection limiting via semaphore is preserved
  • Configurable bind address (HERO_COMPUTE_BIND_ADDRESS) is preserved
  • cargo build succeeds with no warnings
  • cargo clippy passes

Notes

  • The hero_compute_server crate has its own tcp_bridge that never had token auth — no changes needed there
  • Pure removal with no behavioral change for deployments already running without the token (the majority case)

🤖 Generated with Claude Code

## Implementation Spec for Issue #59 ### Objective Remove the optional `HERO_COMPUTE_BRIDGE_TOKEN` authentication mechanism from the `tcp_bridge` function in `hero_compute_explorer`, simplifying the bridge to accept connections and proxy bytes directly. ### Requirements - Remove the `HERO_COMPUTE_BRIDGE_TOKEN` environment variable read from `tcp_bridge()` - Remove the `AUTH <token>\n` handshake logic - Remove the auth warning log line emitted when the token is unset - Remove the `bridge_token` / `token` variables and now-unnecessary imports (`AsyncBufReadExt`, `AsyncWriteExt`, `BufReader`) - Update the doc comment on `tcp_bridge` to remove the "optionally requires auth token" clause - Remove the `HERO_COMPUTE_BRIDGE_TOKEN` row from `docs/configuration.md` - Ensure no other files reference `HERO_COMPUTE_BRIDGE_TOKEN` ### Files to Modify | File | Change | |------|--------| | `crates/hero_compute_explorer/src/main.rs` | Remove token env var read, auth handshake block, warning log, unused imports, update doc comment | | `docs/configuration.md` | Remove the `HERO_COMPUTE_BRIDGE_TOKEN` row from the env vars table | ### Implementation Plan #### Step 1: Simplify `tcp_bridge` in `hero_compute_explorer/src/main.rs` - Update doc comment (remove auth token mention) - Delete env var read + warning log (4 lines) - Delete `let token = bridge_token.clone();` from per-connection clone block - Delete entire auth-check block (~24 lines) - Clean up any unused imports #### Step 2: Update `docs/configuration.md` - Remove the `HERO_COMPUTE_BRIDGE_TOKEN` row from the environment variables table ### Acceptance Criteria - [ ] `HERO_COMPUTE_BRIDGE_TOKEN` does not appear anywhere in the codebase - [ ] `AUTH_FAILED` does not appear in `hero_compute_explorer/src/main.rs` - [ ] The `tcp_bridge` function accepts TCP connections and immediately proxies bytes (no handshake) - [ ] Connection limiting via semaphore is preserved - [ ] Configurable bind address (`HERO_COMPUTE_BIND_ADDRESS`) is preserved - [ ] `cargo build` succeeds with no warnings - [ ] `cargo clippy` passes ### Notes - The `hero_compute_server` crate has its own `tcp_bridge` that never had token auth — no changes needed there - Pure removal with no behavioral change for deployments already running without the token (the majority case) --- 🤖 Generated with [Claude Code](https://claude.ai/code)
mahmoud commented 2026-04-06 10:26:29 +00:00
Author
Owner
Copy link

Test Results

  • cargo build: PASS
  • cargo test: PASS (32 passed, 0 failed, 30 ignored)
  • cargo clippy (hero_compute_explorer): PASS (no warnings)
  • grep HERO_COMPUTE_BRIDGE_TOKEN: not found (confirmed removed)

Automated check

## Test Results - **cargo build**: PASS - **cargo test**: PASS (32 passed, 0 failed, 30 ignored) - **cargo clippy** (hero_compute_explorer): PASS (no warnings) - **grep HERO_COMPUTE_BRIDGE_TOKEN**: not found (confirmed removed) Automated check
mahmoud commented 2026-04-06 10:28:04 +00:00
Author
Owner
Copy link

Implementation Summary

Changes Made

crates/hero_compute_explorer/src/main.rs

  • Removed HERO_COMPUTE_BRIDGE_TOKEN env var read
  • Removed auth warning log line
  • Removed let token = bridge_token.clone() from connection handler
  • Removed entire AUTH handshake block (~24 lines)
  • Updated doc comment to remove auth token mention
  • No unused import cleanup needed (imports were block-scoped)

docs/configuration.md

  • Removed HERO_COMPUTE_BRIDGE_TOKEN row from the Network env vars table

What was preserved

  • Semaphore-based connection limiting (MAX_BRIDGE_CONNECTIONS = 100)
  • Configurable bind address via HERO_COMPUTE_BIND_ADDRESS
  • All existing proxy logic (TCP ↔ Unix socket byte copying)

Test Results

  • cargo build: pass
  • cargo test: 32 passed, 0 failed
  • cargo clippy: no warnings
  • grep verification: HERO_COMPUTE_BRIDGE_TOKEN fully removed

🤖 Generated with Claude Code

## Implementation Summary ### Changes Made **`crates/hero_compute_explorer/src/main.rs`** - Removed `HERO_COMPUTE_BRIDGE_TOKEN` env var read - Removed auth warning log line - Removed `let token = bridge_token.clone()` from connection handler - Removed entire AUTH handshake block (~24 lines) - Updated doc comment to remove auth token mention - No unused import cleanup needed (imports were block-scoped) **`docs/configuration.md`** - Removed `HERO_COMPUTE_BRIDGE_TOKEN` row from the Network env vars table ### What was preserved - Semaphore-based connection limiting (MAX_BRIDGE_CONNECTIONS = 100) - Configurable bind address via `HERO_COMPUTE_BIND_ADDRESS` - All existing proxy logic (TCP ↔ Unix socket byte copying) ### Test Results - ✅ cargo build: pass - ✅ cargo test: 32 passed, 0 failed - ✅ cargo clippy: no warnings - ✅ grep verification: HERO_COMPUTE_BRIDGE_TOKEN fully removed 🤖 Generated with [Claude Code](https://claude.ai/code)
mahmoud commented 2026-04-06 10:29:17 +00:00
Author
Owner
Copy link

Implementation committed: e84dc59

Browse: e84dc59

Implementation committed: `e84dc59` Browse: https://forge.ourworld.tf/lhumina_code/hero_compute/commit/e84dc59
mahmoud commented 2026-04-07 12:48:09 +00:00
Author
Owner
Copy link

Done

Done
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_hero_proxy_multinode
development_tfgrid
development_hero_router
main
development_fix_deploy_ssh_keys_target_node
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
now
Projects
Clear projects
No items
No project
ACTIVE
Assignees
Clear assignees
No assignees
mahmoud
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_compute#59
No description provided.