lhumina_code/home
0
0
Fork 0
Code Issues 68 Pull requests Projects Releases Packages Wiki Activity Actions

Deployer Settings: manage all admin access surfaces #277

New issue
Open
opened 2026-06-09 14:05:03 +00:00 by mik-tf · 4 comments
mik-tf commented 2026-06-09 14:05:03 +00:00
Owner
Copy link

Context

The deployer admin Settings page currently has an Admin SSH keys panel. That panel only manages core/ADMIN_SSH_PUBKEYS, which is the set of public keys injected into newly provisioned tester VMs.

During live admin updates on admin VM 0069, we confirmed there are actually three separate admin-access surfaces that operators need to understand and manage:

  1. Forge web admins — Forge usernames allowed through SSO into the admin dashboard and included in tester cockpit allowlists.
  2. Admin VM SSH login keys — public keys allowed to SSH directly into the admin VM itself.
  3. Tester VM SSH injection keys — public keys injected into newly provisioned tester VMs.

Today only surface 3 is exposed in Settings, and its label is ambiguous.

Proposed UI

Add one clear Admin access area to the deployer Settings page with three subsections:

Settings
└─ Admin access
   ├─ Forge web admins
   │  ├─ Label: Forge usernames allowed into the admin dashboard and tester cockpits
   │  ├─ Input: one Forge username per line
   │  ├─ Saves to: deployer/ADMIN_FORGE_USERS and core/ADMIN_FORGE_USERS
   │  └─ Save action: Save web admins; restart/refresh hero_proxy_server + deployer allowlist state as needed
   │
   ├─ Admin VM SSH login keys
   │  ├─ Label: Public keys allowed to SSH directly into this admin VM
   │  ├─ Input: one OpenSSH public key per line
   │  ├─ Writes to: /root/.ssh/authorized_keys and /home/driver/.ssh/authorized_keys
   │  └─ Save action: Save admin VM SSH keys; backup, validate keys, preserve permissions/ownership, prevent lockout
   │
   └─ Tester VM SSH injection keys
      ├─ Label: Public keys injected into newly provisioned tester VMs
      ├─ Input: one OpenSSH public key per line
      ├─ Saves to: core/ADMIN_SSH_PUBKEYS
      └─ Save action: Save tester SSH keys; applies only to newly provisioned/recreated tester VMs

Implementation notes

  • Rename the existing Admin SSH keys section to Tester VM SSH injection keys.
  • Reuse the existing OpenSSH public key validation used by deployer.set_admin_ssh_keys.
  • Add RPC/server support for reading and updating admin VM authorized keys.
  • Authorized-key writes must be atomic and create a timestamped backup before replacing files.
  • Preserve correct file modes and ownership:
    • /root/.ssh owned by root:root, mode 700; authorized_keys mode 600.
    • /home/driver/.ssh owned by driver:driver, mode 700; authorized_keys mode 600.
  • Add lockout protection for admin VM SSH keys. At minimum, reject saving an empty list or removing all currently known/bootstrap keys unless an explicit force path exists.
  • For Forge web admins, write ADMIN_FORGE_USERS to the contexts currently used in production: deployer and core.
  • Prefer making deployer/proxy read the allowlist live from hero_proc. If that is not done in the first pass, the save action should restart or refresh hero_proxy_server and hero_tfgrid_deployer_server so changes take effect immediately.

Acceptance criteria

  • Settings page clearly distinguishes Forge web admins, Admin VM SSH login keys, and Tester VM SSH injection keys.
  • Operator can add/remove Forge web admin usernames from the UI.
  • Operator can add/remove admin VM SSH login public keys from the UI without breaking file ownership or permissions.
  • Operator can add/remove tester VM SSH injection keys from the UI using the existing semantics.
  • Saving Forge web admins updates both deployer/ADMIN_FORGE_USERS and core/ADMIN_FORGE_USERS, or the codebase is refactored so only one canonical live-read slot is needed.
  • Saving admin VM SSH keys updates both root and driver authorized_keys files, with backup and lockout protection.
  • Tests cover parsing/validation and lockout behavior for all new RPC/server paths.
## Context The deployer admin Settings page currently has an **Admin SSH keys** panel. That panel only manages `core/ADMIN_SSH_PUBKEYS`, which is the set of public keys injected into newly provisioned tester VMs. During live admin updates on admin VM `0069`, we confirmed there are actually three separate admin-access surfaces that operators need to understand and manage: 1. **Forge web admins** — Forge usernames allowed through SSO into the admin dashboard and included in tester cockpit allowlists. 2. **Admin VM SSH login keys** — public keys allowed to SSH directly into the admin VM itself. 3. **Tester VM SSH injection keys** — public keys injected into newly provisioned tester VMs. Today only surface 3 is exposed in Settings, and its label is ambiguous. ## Proposed UI Add one clear **Admin access** area to the deployer Settings page with three subsections: ```text Settings └─ Admin access ├─ Forge web admins │ ├─ Label: Forge usernames allowed into the admin dashboard and tester cockpits │ ├─ Input: one Forge username per line │ ├─ Saves to: deployer/ADMIN_FORGE_USERS and core/ADMIN_FORGE_USERS │ └─ Save action: Save web admins; restart/refresh hero_proxy_server + deployer allowlist state as needed │ ├─ Admin VM SSH login keys │ ├─ Label: Public keys allowed to SSH directly into this admin VM │ ├─ Input: one OpenSSH public key per line │ ├─ Writes to: /root/.ssh/authorized_keys and /home/driver/.ssh/authorized_keys │ └─ Save action: Save admin VM SSH keys; backup, validate keys, preserve permissions/ownership, prevent lockout │ └─ Tester VM SSH injection keys ├─ Label: Public keys injected into newly provisioned tester VMs ├─ Input: one OpenSSH public key per line ├─ Saves to: core/ADMIN_SSH_PUBKEYS └─ Save action: Save tester SSH keys; applies only to newly provisioned/recreated tester VMs ``` ## Implementation notes - Rename the existing **Admin SSH keys** section to **Tester VM SSH injection keys**. - Reuse the existing OpenSSH public key validation used by `deployer.set_admin_ssh_keys`. - Add RPC/server support for reading and updating admin VM authorized keys. - Authorized-key writes must be atomic and create a timestamped backup before replacing files. - Preserve correct file modes and ownership: - `/root/.ssh` owned by `root:root`, mode `700`; `authorized_keys` mode `600`. - `/home/driver/.ssh` owned by `driver:driver`, mode `700`; `authorized_keys` mode `600`. - Add lockout protection for admin VM SSH keys. At minimum, reject saving an empty list or removing all currently known/bootstrap keys unless an explicit force path exists. - For Forge web admins, write `ADMIN_FORGE_USERS` to the contexts currently used in production: `deployer` and `core`. - Prefer making deployer/proxy read the allowlist live from hero_proc. If that is not done in the first pass, the save action should restart or refresh `hero_proxy_server` and `hero_tfgrid_deployer_server` so changes take effect immediately. ## Acceptance criteria - Settings page clearly distinguishes Forge web admins, Admin VM SSH login keys, and Tester VM SSH injection keys. - Operator can add/remove Forge web admin usernames from the UI. - Operator can add/remove admin VM SSH login public keys from the UI without breaking file ownership or permissions. - Operator can add/remove tester VM SSH injection keys from the UI using the existing semantics. - Saving Forge web admins updates both `deployer/ADMIN_FORGE_USERS` and `core/ADMIN_FORGE_USERS`, or the codebase is refactored so only one canonical live-read slot is needed. - Saving admin VM SSH keys updates both root and driver `authorized_keys` files, with backup and lockout protection. - Tests cover parsing/validation and lockout behavior for all new RPC/server paths.
mik-tf commented 2026-06-09 14:17:09 +00:00
Author
Owner
Copy link

Layout update

The Settings page should not keep growing as one long vertical form. Keep the existing top navbar for app-level navigation, and add a Settings-local left sidebar for settings sections.

Suggested structure:

Top navbar
  Dashboard | Users | VMs | Nodes | Settings | ...

Settings page
┌──────────────────────┬─────────────────────────────────────┐
│ Settings sidebar     │ Active settings section              │
│                      │                                     │
│ Overview             │  Read-only summary / status          │
│ Email                │                                     │
│ Admin access         │  Forge web admins                    │
│ Assistant keys       │  Admin VM SSH login keys             │
│ Advanced / Runtime   │  Tester VM SSH injection keys        │
└──────────────────────┴─────────────────────────────────────┘

The first Settings section should be Overview. It should be mostly read-only and show compact current state so operators land on a safe summary rather than an editing form:

Overview
  Email
    Sending: enabled
    Provider key: configured
    From: Hero OS <...>

  Admin access
    Forge web admins: 5 users
    Admin VM SSH login keys: 5 keys
    Tester VM SSH injection keys: 5 keys

  Assistant defaults
    OpenRouter: configured
    Groq: not configured
    Kimi: configured

  Runtime
    Deployer: running
    Proxy: running

The Admin access section should keep the three related controls on one focused page, but the page-level sidebar prevents Settings from becoming cramped as more sections are added.

## Layout update The Settings page should not keep growing as one long vertical form. Keep the existing top navbar for app-level navigation, and add a Settings-local left sidebar for settings sections. Suggested structure: ```text Top navbar Dashboard | Users | VMs | Nodes | Settings | ... Settings page ┌──────────────────────┬─────────────────────────────────────┐ │ Settings sidebar │ Active settings section │ │ │ │ │ Overview │ Read-only summary / status │ │ Email │ │ │ Admin access │ Forge web admins │ │ Assistant keys │ Admin VM SSH login keys │ │ Advanced / Runtime │ Tester VM SSH injection keys │ └──────────────────────┴─────────────────────────────────────┘ ``` The first Settings section should be **Overview**. It should be mostly read-only and show compact current state so operators land on a safe summary rather than an editing form: ```text Overview Email Sending: enabled Provider key: configured From: Hero OS <...> Admin access Forge web admins: 5 users Admin VM SSH login keys: 5 keys Tester VM SSH injection keys: 5 keys Assistant defaults OpenRouter: configured Groq: not configured Kimi: configured Runtime Deployer: running Proxy: running ``` The **Admin access** section should keep the three related controls on one focused page, but the page-level sidebar prevents Settings from becoming cramped as more sections are added.
mik-tf commented 2026-06-09 14:41:13 +00:00
Author
Owner
Copy link

Implementation pass is ready in worktree/branch home-277-admin-access at /home/pctwo/Documents/temp/hero_work/lhumina_code/hero_os_tfgrid_deployer_admin_access.

Covered:

  • Settings page has a local left sidebar: Overview, Email, Admin access, Assistant keys.
  • Admin access now separates Forge web admins, admin VM SSH login keys, and tester VM SSH injection keys.
  • Server RPC/OpenRPC/SDK/admin routes added for Forge admins and admin VM SSH keys.
  • Forge admin updates write deployer/ADMIN_FORGE_USERS and core/ADMIN_FORGE_USERS, then restart hero_proxy_server.
  • Admin VM SSH updates validate keys and write both /root/.ssh/authorized_keys and /home/driver/.ssh/authorized_keys using non-interactive sudo.
  • Service manifests updated from socket_type to canonical socket type, fixing the lab --info build failure.

Verification passed:

  • cargo fmt --all --check
  • cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin
  • cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings
  • lab build --workspace --no-upx
Implementation pass is ready in worktree/branch `home-277-admin-access` at `/home/pctwo/Documents/temp/hero_work/lhumina_code/hero_os_tfgrid_deployer_admin_access`. Covered: - Settings page has a local left sidebar: Overview, Email, Admin access, Assistant keys. - Admin access now separates Forge web admins, admin VM SSH login keys, and tester VM SSH injection keys. - Server RPC/OpenRPC/SDK/admin routes added for Forge admins and admin VM SSH keys. - Forge admin updates write `deployer/ADMIN_FORGE_USERS` and `core/ADMIN_FORGE_USERS`, then restart `hero_proxy_server`. - Admin VM SSH updates validate keys and write both `/root/.ssh/authorized_keys` and `/home/driver/.ssh/authorized_keys` using non-interactive sudo. - Service manifests updated from `socket_type` to canonical socket `type`, fixing the lab `--info` build failure. Verification passed: - `cargo fmt --all --check` - `cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin` - `cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings` - `lab build --workspace --no-upx`
mik-tf commented 2026-06-09 16:08:22 +00:00
Author
Owner
Copy link

Merged to lhumina_code/hero_os_tfgrid_deployer remote main.

Remote main now points at bb1c149:

  • 89e3019 feat(admin): manage deployer admin access settings
  • merged on top of latest origin/main (a8dc79b)

Verification before merge/push included:

  • cargo fmt --all --check
  • cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin
  • cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings
  • lab build --workspace --no-upx
  • lab build --check
Merged to `lhumina_code/hero_os_tfgrid_deployer` remote `main`. Remote main now points at `bb1c149`: - `89e3019` `feat(admin): manage deployer admin access settings` - merged on top of latest `origin/main` (`a8dc79b`) Verification before merge/push included: - `cargo fmt --all --check` - `cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin` - `cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings` - `lab build --workspace --no-upx` - `lab build --check`
mik-tf commented 2026-06-09 16:19:03 +00:00
Author
Owner
Copy link

Follow-up merged to lhumina_code/hero_os_tfgrid_deployer remote main: 87c7fc1 feat(deployer): apply access settings to existing testers.

This adds a real live propagation action, not just UI:

  • New RPC: deployer.apply_tester_access
  • New Settings/Admin access button: Apply to existing tester VMs
  • For each existing tester VM with a recorded mycelium IP, the deployer SSHes with the installer key, rewrites /root/.ssh/authorized_keys with installer + admin + opt-in tester keys, writes the effective tester cockpit allowlist to deployer/ADMIN_FORGE_USERS and core/ADMIN_FORGE_USERS, and restarts hero_proxy_server on that tester.
  • Rows without mycelium IP are skipped; SSH failures are returned per VM.
  • Installer key lookup now reads deployer/INSTALLER_SSH_PRIVKEY / deployer/INSTALLER_SSH_PUBKEY first, with env fallback for older deployments.

Verification passed:

  • cargo fmt --all --check
  • cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin
  • cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings
  • lab build --check
  • lab build --workspace --no-upx
Follow-up merged to `lhumina_code/hero_os_tfgrid_deployer` remote `main`: `87c7fc1 feat(deployer): apply access settings to existing testers`. This adds a real live propagation action, not just UI: - New RPC: `deployer.apply_tester_access` - New Settings/Admin access button: `Apply to existing tester VMs` - For each existing tester VM with a recorded mycelium IP, the deployer SSHes with the installer key, rewrites `/root/.ssh/authorized_keys` with installer + admin + opt-in tester keys, writes the effective tester cockpit allowlist to `deployer/ADMIN_FORGE_USERS` and `core/ADMIN_FORGE_USERS`, and restarts `hero_proxy_server` on that tester. - Rows without mycelium IP are skipped; SSH failures are returned per VM. - Installer key lookup now reads `deployer/INSTALLER_SSH_PRIVKEY` / `deployer/INSTALLER_SSH_PUBKEY` first, with env fallback for older deployments. Verification passed: - `cargo fmt --all --check` - `cargo test -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin` - `cargo clippy -p hero_tfgrid_deployer_sdk -p hero_tfgrid_deployer_server -p hero_tfgrid_deployer_admin --all-targets -- -D warnings` - `lab build --check` - `lab build --workspace --no-upx`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels   
meeting-notes

Meeting notes and follow-ups

  
meeting-transcript

Raw meeting transcript; AI drafts the report

No labels
meeting-notes
meeting-transcript
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#277
No description provided.