docs(dashboard-auth): plan v2 — incorporate Portal OAuth contract (PR #180) · 53999b9e95 - mirrors/hermes-agent

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-29 06:31:32 +00:00

docs(dashboard-auth): plan v2 — incorporate Portal OAuth contract (PR #180)

Adds a 'Contract Anchor' section at the top of the plan summarizing the
11 material findings from nous-account-service PR #180's published
contract. Rewrites Phase 4 (Nous provider) and Phase 6 (re-auth UX)
in-place; the v1 drafts are preserved inline marked 'rejected —
preserved for archeology' for reviewer context.

Phases 0–3 (already shipped) are unaffected — they set up gate
engagement and cookie plumbing only. The cookies module's RT cookie
becomes dead in Phase 6 task 6.3 and is removed there.

Key contract-driven reversals:
  - client_id is per-instance (agent:{id}), env-injected — not static
  - audience is bare client_id, not 'hermes-cli:' prefixed
  - scope is 'agent_dashboard:access' only
  - JWT claims do NOT include email/name — surface user_id instead
  - no refresh tokens in V1 — 401 → redirect to /login
  - JWKS-only verification, no userinfo fallback
  - redirect_uri is exact-match per AgentInstance, not wildcard

Phase 7's AuthWidget needs to display user_id (truncated) instead of
email; one-line annotation added at the top of that phase.

This commit is contained in:

Ben

2026-05-21 15:40:39 +10:00

• committed by

Teknium

parent 53736b3922

commit 53999b9e95

1 changed files with 4533 additions and 0 deletions

4533

.hermes/plans/2026-05-21-dashboard-oauth-auth.md Normal file

View file

File diff suppressed because it is too large Load diff

Rows
Columns

docs(dashboard-auth): plan v2 — incorporate Portal OAuth contract (PR #180)

4533 .hermes/plans/2026-05-21-dashboard-oauth-auth.md Normal file View file

4533

.hermes/plans/2026-05-21-dashboard-oauth-auth.md Normal file

View file