chore(installer): remove first-run-lock + OTP + password-claim banner (Slice C)#266
Merged
Merged
Conversation
… (Slice C) Slice C of the Phase 1 auth removal. With the entire backend auth surface gone (Slice A #256) and the dashboard auth UI gone (Slice B #255), the installer no longer needs to mint a one-time-password lockfile to scope the first-run wizard's claim window — there is no wizard claim window because there's no password to claim. What goes: installer/install.sh - drop the First-run claim lockfile block (FIRST_RUN_LOCK + FIRST_RUN_OTP mint with uuidgen / /proc/sys/kernel/random/uuid / python fallback; atomic temp-file + rename; idempotent reuse on rerun) — ~42 lines - drop the corresponding `HAL0_AUTH_DISABLED=1` comment block from the api.env template generation - drop the Summary-block "First-run OTP" stanza (the dim-grey "lockfile: /var/lib/hal0/.first-run.lock" line + the "paste this into the wizard" hint) — ~13 lines - drop the late-stage "First-run setup token" lookup that re-reads the lockfile after services start + adds it to the summary — ~40 lines - change the `Auth` summary row from "locked — finish first-run wizard to set a password" to "open on the trusted LAN — front with a reverse proxy if exposed" Total: 109 lines removed, 1 line edited. Intentionally NOT touched - installer/uninstall.sh still removes the legacy /var/lib/hal0/.first-run.lock file on uninstall so existing v0.1.x / v0.2.x installs with a leftover lockfile get cleaned up properly. Same pattern as the Caddy unit teardown in #254. Sequence (Phase 1 auth removal) - Slice B (#255, merged) — frontend useAuth + Settings Auth panel - Slice A (#256, in CI) — backend auth modules + tests + dependency arrays - Slice C (this PR) — installer first-run-lock / OTP / password prompt - Slice D — ADR-0011 marking ADR-0001 superseded, README, docs/operate/auth.md delete, CHANGELOG, version bump Verification - bash -n installer/install.sh clean - Zero FIRST_RUN_LOCK / FIRST_RUN_OTP / first-run-wizard-password refs remain in install.sh Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
thinmintdev
added a commit
that referenced
this pull request
May 23, 2026
…ice D) (#267) Final slice of the Phase 1 auth removal. Closes the architectural loop opened by ADR-0001, surfaces the breaking change to operators, bumps the version, and patches the one test that #256 missed. ADR - New: docs/internal/adr/0012-remove-auth-and-caddy.md — accepts the removal direction, references the four implementing PRs (#254, #255, #256, #266), records what was deleted (~6,000 LOC) and what stays (uninstall cleanup, MCPAuthMiddleware as identity stash, bcrypt/PyJWT/argon2 deps untouched), and frames the v0.3 stream-4 follow-up work (MCPIdentityMiddleware rename, Hermes header swap). Note: numbered 0012 because 0011 was taken by agent-identity-cards via PR #239 while the auth-removal work was in flight — the original briefing's "ADR-0011" suggestion was stale by the time it landed. - ADR-0001 frontmatter flipped to `Status: Superseded by ADR-0012 (2026-05-23)` with a paragraph explaining why "FastAPI owns auth" ended up being transitional. Docs - docs/operate/auth.mdx — full rewrite. The old page documented Caddy + basic_auth + the LAN-vs-WAN wizard flow; the new page tells operators hal0 ships open on a trusted LAN and gives three concrete upstream-proxy patterns (Traefik, nginx, Cloudflare Tunnel) with copy-pasteable configs. OpenWebUI's own `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` override is documented for the upstream-proxy SSO case. - README.md - drop "password setup → bundle pick" from the first-run feature line - rewrite the "Auth posture" section: references ADR-0012, drops the FIRST_RUN_LOCK / OTP / wizard-password-step prose, points at docs/operate/auth.mdx for upstream-proxy patterns - CHANGELOG.md - new top-level [v0.3.0-alpha.1] — 2026-05-23 entry - Breaking: auth gone, Caddy gone, `--no-tls` gone, HAL0_AUTH_* env vars are no-ops, Bearer tokens minted under v0.2.x stop working - New / improved: v3 dashboard on main + normalizers (#235/#249/#253), /v1/* proxy (#248/#212), footer nullability (#252/#221), Settings default tab → Secrets - Removed code: per-file accounting of the ~6,000 deletions - Upgrade notes: lose-your-password warning, drop --no-tls flag Tests - tests/openwebui/test_env_writer.py - delete `test_auth_disabled_keeps_webui_auth_false` (covered by the rewritten test below) - delete `test_auth_enabled_flips_webui_auth_true` (the one test that failed CI on #256 — was asserting the now-removed HAL0_AUTH_ENABLED→WEBUI_AUTH=True branching) - delete `test_auth_falsy_values_keep_defaults` (parametrized sibling, same removed branching) - delete `test_overrides_still_win_under_auth` (same) - add `test_webui_auth_is_always_false_by_default` (defensive: the env vars are gone, WEBUI_AUTH stays False regardless) - add `test_trusted_email_header_via_explicit_override` (documents the new opt-in path through the `overrides` parameter) Version - pyproject.toml: 0.2.0-alpha.3 → 0.3.0-alpha.1 (single source of truth per memory hal0_version_two_locations — src/hal0/__init__.py reads via importlib.metadata) Sequence (Phase 1 complete) - Slice B (#255, merged) - Slice A (#256, merged with admin-override since this test failure was the only blocker; resolved here) - Slice C (#266, in CI) - Slice D (this PR) Follow-up (per the user's briefing, not in this PR) - Update Hermes bootstrap plan + ADR-0011 (agent identity cards) to drop bearer references and switch to X-hal0-Agent identity header - Edit issues #240 / #243 / #246 to drop bearer-token acceptance criteria - Rename MCPAuthMiddleware → MCPIdentityMiddleware in mcp_mount.py - Update auto-memory feedback-caddy-reduction-divergence to note the direction landed Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Slice C of the Phase 1 auth removal. With the backend auth surface gone (#256, Slice A) and the dashboard auth UI gone (#255, Slice B), the installer no longer needs to mint a one-time-password lockfile to scope the first-run wizard's claim window — there is no wizard claim window because there's no password to claim.
−109 / +1 lines, 1 file.
Changes
installer/install.sh:FIRST_RUN_LOCK+FIRST_RUN_OTPmint withuuidgen//proc/sys/kernel/random/uuid/ python fallback; atomic temp-file + rename; idempotent reuse on rerun) — ~42 linesHAL0_AUTH_DISABLED=1comment block from theapi.envtemplate generation/var/lib/hal0/.first-run.lock" line + the "paste this into the wizard" hint) — ~13 linesAuthsummary row fromlocked — finish first-run wizard to set a passwordtoopen on the trusted LAN — front with a reverse proxy if exposedIntentionally NOT touched
installer/uninstall.shstill removes the legacy/var/lib/hal0/.first-run.lockfile on uninstall so existing v0.1.x / v0.2.x installs with a leftover lockfile get cleaned up properly. Same pattern as the Caddy unit teardown in chore(installer): remove bundled Caddy reverse proxy — TLS is upstream's job #254.Sequence
useAuth+ Settings Auth panelVerification
bash -n installer/install.shcleanFIRST_RUN_LOCK/FIRST_RUN_OTP/ first-run-wizard-password refs remain ininstall.shTest plan
install.shrun no longer emits the "First-run OTP" or "First-run setup token" banners;/etc/hal0/api.envhas no auth-related env vars🤖 Generated with Claude Code