Skip to content

Feature/skills#58

Merged
douglasware merged 7 commits into
mainfrom
feature/skills
Jul 2, 2026
Merged

Feature/skills#58
douglasware merged 7 commits into
mainfrom
feature/skills

Conversation

@douglasware

Copy link
Copy Markdown
Contributor

Skills in the Guide and Assistant Builder as tools.

Now you can do:

  1. Web API
  2. Sandbox bash, python and node
  3. Client deferred tools (chat widget, tools owned by things like codex or claude code)
  4. Sandboxed and remote MCP servers
  5. Skills
  6. Scheduled runs
  7. Wire API so published guides act like super-models

JacksonFalgoust and others added 7 commits June 25, 2026 08:11
* Adds installer scripts and configuration

* Remove installer directory

* changes installer to zip file

* removes installer folder

* updates installer to work with empty .installer_state.env file

* Driver check for cuda and rocm.

* Adds --mount flag to mount folder to project without rebuilding

* Makes sure folder is mounted before opening localhost

* test run of installers

* changes compose files for arm64 builds

* Stores login token for mount authentication

* Mount to notbook within project, and unmount

* Add CliAuthSession entity, DbSet, model config, and EF migration

Persistence layer for the new CLI device-code authorization flow.
Adds CliAuthSession entity with SessionId (PK), DeviceSecretHash,
Status enum (Pending/Approved/Consumed), nullable UserId FK to User,
CreatedAt, and ExpiresAt. Includes ExpiresAt index for cleanup queries
and cascade delete from User.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add optional lifetimeOverride to JwtTokenService.IssueToken

Support caller-specified JWT lifetimes for the CLI device-code flow,
which needs short-lived (~10 min) tokens. When lifetimeOverride is null,
behavior is unchanged (uses configured LifetimeMinutes). Non-positive
overrides throw ArgumentOutOfRangeException.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add CliAuthService for secure CLI device-code auth flow

Implement ICliAuthService with CreateSessionAsync, ApproveAsync, and
IssueTokenAsync driving the CLI device-code authorization flow. The
device secret is hashed (SHA256) before storage and verified with
constant-time comparison before any status branching, preventing
session-ID-only callers from learning approval state. Tokens are
single-use (Consumed on issuance). Includes DI registration and 14
unit tests covering creation, cleanup, approval, secret verification,
token issuance, single-use enforcement, and JWT claim validation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add CliAuth HTTP endpoints and remove insecure on-disk token write

Expose ICliAuthService over three endpoints (POST /api/cli/sessions,
POST /{sessionId}/approve, GET /{sessionId}/token) for the browser
device-code approval flow. Remove the .cli-auth-token file write and
unused IStoragePathResolver parameter from the login handler. Add nine
integration tests covering the full happy path and security negatives.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add CliAuthorize page, protected route, and api.ts approve call

Implements the browser-side CLI authorization flow: a new CliAuthorize
page where logged-in users approve command-line mount requests, a
protected route at /cli/authorize, and the api.cli.approveSession()
method. Includes component tests covering all states (missing session,
approve success, 404/410 errors, generic errors, deny).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Replace installer on-disk-token auth with browser device-code flow

Rewrites acquire_token() to use the POST /api/cli/sessions +
browser-approval + polling pattern instead of reading a token file
from disk. The token is held only in a shell variable (AUTH_TOKEN)
and never written to disk. Also generalizes open_browser() to accept
an optional URL argument, removes the CLI_TOKEN_FILE variable, and
adds .gitignore entries for the token file.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Require admin to approve CLI auth sessions

Mount creation requires admin, so allowing any approved user to approve a
CLI session led to a 403 dead-end after the browser approval. Tighten the
/api/cli/sessions/{id}/approve endpoint to RequireAdmin and add a
non-admin -> 403 integration test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Doc for secure CLI authentication and authorization window close after approval

* Mount folder to project root.

* fixes on windows

* Fix windows bugs

* update README.md

* updates installer.zip

* tests

* update installer.zip

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@douglasware douglasware merged commit 3ba66d4 into main Jul 2, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants