lhumina_code/hero_skills
4
0
Fork 0
Code Issues 34 Pull requests Projects Releases 1 Packages 1 Wiki Activity Actions
No description
1,271 commits 5 branches 2 tags 36 MiB
  • Rust 78.8%
  • Nushell 17.5%
  • Shell 3.6%
Find a file
Exact
Sameh Abouel-saad 69ed49a31d
Some checks failed
Publish edge build / build-and-publish (push) Failing after 2s
Details
Build and Test (lab workspace) / build-and-test (push) Failing after 4s
Details
fix(lab/flow): make hero_os_hosted's token, env, and sudo cleanup work 
Three paper-cuts in hero_os_hosted (Kristof's 1df2971 from 32h ago)
together broke the customer multi-user provisioning flow end-to-end.

Bug A — FORGE_TOKEN never reached the chained `lab user init`:
`sudo -u <name> -i` strips env. The embedded lab_install.sh ends with
`lab user init` (no flag), and bootstrap.md §3 step 1's four-tier
resolution chain (--flag → env → TOML → TTY) had none of them
available in the sudo'd non-TTY context. Same problem in step 4 for
`lab flow hero_os_local init`, whose Forge downloads also need the
token.

Fix A: new required CLI flag `--forge-token` on hero_os_hosted (also
reads $FORGE_TOKEN, resolved manually since clap's "env" feature isn't
enabled in this workspace). Step 3 injects the token through `env(1)`
prefix — env vars set on the target user's own argv survive sudo's
env-strip policy without needing SETENV in the temp sudoers drop-in.
Drop the `-i` since lab_install.sh doesn't need a login shell.

Bug B — sudo revocation only ran on success: step_revoke_sudo as
ordered step 6 was unreachable on any earlier-step failure. A mycelium
node_info failure in step 5 (observed on kristof5: no mycelium daemon
installed) left the user with permanent passwordless sudo via
/etc/sudoers.d/hero_hosted_<name>.

Fix B: TempSudoersGuard struct with Drop impl, declared after
step_grant_sudo. Fires on Ok-return, `?`-propagated Err, and panic-
unwind. SIGKILL bypasses Drop — fundamental limit, called out in the
docstring. step_revoke_sudo function removed.

Bug C — step 4 panicked on PATH_CODE missing: even with FORGE_TOKEN
plumbed, the spawned `lab flow hero_os_local init` panicked at
hero_lib::core::paths::path_code because sudo strips PATH_CODE/
PATH_ROOT/etc. and lab's pinned hero_lib (3ff281d) unconditionally
.expect()s PATH_CODE. The upstream hero_lib fix (30a0b34e) makes
PATH_CODE/PATH_BUILD/PATH_VAR derive from PATH_ROOT, but PATH_ROOT
still has to be set.

Fix C: step 4 invokes `bash -c "source ~/hero/cfg/init.sh && lab flow
hero_os_local init"` — init.sh exists by step 4 (lab user init wrote
it in step 3) and its `eval $(lab path)` exports everything from
hero_cfg.toml, including FORGE_TOKEN. So step 4 no longer needs the
token passed explicitly. Stays useful even after lab bumps to a
hero_lib SHA with the PATH_CODE fallback, because PATH_ROOT itself
still requires explicit setting.

Tests: install_lab_argv_carries_forge_token_through_sudo_env and
hero_os_local_init_argv_sources_init_sh pin the new argv shapes.
TDD'd from red (functions didn't exist) → green. Lib regression: 78/0.

Verified end-to-end on kristof5: hero_os_hosted sameh --forge-token X
runs steps 1-4 cleanly, hero_proc + hero_proc_admin start with healthy
sockets and passing smoke tests, hero_router fails (separate pre-
existing bug), guard fires and removes the temp sudoers drop-in.
2026-05-19 14:58:18 +03:00
.forgejo/workflows ci(edge): switch to rust:latest, drop musl cross-compile 2026-05-13 15:37:21 +02:00
.hero lab: add musl-cross installer, auto-install on missing linker, harden build orchestrator 2026-05-17 10:35:35 +02:00
_archive refactor(lab): overhaul install scripts, user cfg, and docs 2026-05-16 19:33:23 +02:00
_beta refactor(lab): overhaul install scripts, user cfg, and docs 2026-05-16 19:33:23 +02:00
agents/default feat(lab): add Kimi agent config, MCP runner, OpenRPC client, and skills infrastructure 2026-05-16 13:05:28 +02:00
claude refactor(skills): reorganize skill files and add mother-skill sync for Claude+Kimi 2026-05-16 08:09:21 +02:00
crates fix(lab/flow): make hero_os_hosted's token, env, and sudo cleanup work 2026-05-19 14:58:18 +03:00
docs feat(scripts): add uninstall.sh + clarify hero_cfg.toml authorship 2026-05-11 11:22:49 +00:00
hero_os_architecture fix(lab): single-daemon mycelium cleanup, user-IP bind, IPv6 forward, nu env.nu 2026-05-13 15:32:15 +02:00
howto docs: update tools/ references to nutools/ in README, skills, architecture docs 2026-05-06 05:52:31 +02:00
knowledge lab: make env.nu dynamic via load-env + lab path --shell json 2026-05-17 17:36:25 +03:00
meetingnotes refactor: replace all zinit references with hero_proc (#68) 2026-03-20 11:39:39 -04:00
nutools nutools: gate secrets load on hero_proc ping, remove verbose init prints 2026-05-17 18:34:48 +02:00
prompts fix: remove unused merge_with_agent import and add --info requirement to build prompt 2026-05-10 13:11:54 +02:00
research/memory fix(submodule): remove orphaned vast_ai_research gitlink 2026-05-12 07:11:27 +02:00
scripts lab: add lab install/build commands, stale-binary cleanup, PATH_BUILD + PATH_ROOT env support 2026-05-18 07:05:02 +02:00
servers make-file helper 2026-02-05 07:25:03 +04:00
skills skills/lab: resync with current binary surface 2026-05-19 12:15:55 +02:00
.gitignore refactor: Consolidate code directories and simplify paths 2026-05-13 12:30:28 +03:00
Cargo.lock lab: replace hero_cfg.toml with HeroConfig model + Askama shell templates 2026-05-17 18:11:24 +02:00
Cargo.toml fix(lab): wire service.toml + herolib_core::base, fix nushell completions source 2026-05-13 08:12:47 +02:00
README.md lab: add musl-cross installer, auto-install on missing linker, harden build orchestrator 2026-05-17 10:35:35 +02:00

README.md

Hero Skills

Claude Code skills and the lab build orchestrator for the Hero stack.

What is lab?

lab is a Cargo-native Hero build orchestrator. It discovers binary targets, skips unchanged ones via fingerprinting, copies built binaries to ~/hero/bin, manages Forgejo repos, syncs secrets via hero_proc, and runs AI agents.

lab [flags]                  — build binaries in the current repo
lab build [REPO] [flags]     — find/clone a named repo then build it
lab user init                — install Rust + nushell, write hero_cfg.toml, configure shell
lab install core             — full install (AI tools, hero_proc, ...)
lab repo <verb>              — Forgejo repo management
lab secrets <verb>           — hero_proc / file-based secrets management
lab skills edit|sync         — manage Claude Code skills
lab agent 'instruction'      — run an AI agent instruction

Getting lab

Install (download or build from source)

curl -sSfL https://forge.ourworld.tf/lhumina_code/hero_skills/raw/branch/development/scripts/lab_install.sh | bash

lab_install.sh detects your platform (macOS/Linux, arm64/x86_64), downloads the pre-built binary from Forgejo into ~/hero/bin/lab, and falls back to building from source if no binary is available.

First-time setup

After installing lab:

export PATH="$HOME/hero/bin:$PATH"
lab user init        # install Rust + nushell, configure shell, prompt for FORGE_TOKEN
lab install core     # install AI tools, hero_proc, etc.

lab user init generates:

  • ~/hero/cfg/init.sh — bash environment (PATH_ROOT, CARGO_HOME, sccache, …)
  • ~/.config/nushell/env.nu — nushell equivalent, sets NU_LIB_DIRS and loads Hero modules
  • ~/.config/nushell/config.nu — sources hero_loader.nu and config_user.nu

Building and uploading a release

lab build --upload --platforms allbase -v

Builds for macos-arm64, linux-musl-arm64, linux-musl-x86_64 and uploads to Forgejo.

Getting a FORGE_TOKEN

Required for lab repo and lab secrets:

  1. Go to https://forge.ourworld.tf/user/settings/applications
  2. Generate a token with read:repository + write:repository scopes
  3. Set FORGE_TOKEN in your environment (or let lab user init prompt for it)