fix(setup): auto-bootstrap local OneCLI admin so first install completes#2052
Open
dooha333 wants to merge 3 commits into
Open
fix(setup): auto-bootstrap local OneCLI admin so first install completes#2052dooha333 wants to merge 3 commits into
dooha333 wants to merge 3 commits into
Conversation
A fresh local OneCLI install leaves the `onecli` CLI unauthenticated, so the
Anthropic-token save step fails with `Unauthorized / AUTH_REQUIRED` and the
whole setup flow dead-ends. v1 wrote the key straight to .env; v2's vault
flow assumes the CLI is already logged in to the gateway, but for a brand-new
local install it isn't yet.
After `pollHealth` in both the install and `--reuse` paths, if
`onecli auth status` is unauthenticated, hit `GET ${url}/api/user/api-key`
with header `x-forwarded-for: 127.0.0.1`. The gateway in `local` authMode
treats that as a loopback request and runs its built-in `local-admin`
bootstrap (creates user + account + api_key in one call), returning the
`oc_…` key. Persist it via `onecli auth login --api-key` and `ONECLI_API_KEY`
in `.env` — same dual-surface pattern as commit f048447 added for remote-mode.
Why the XFF spoof: the Linux installer binds the gateway to docker0
(172.17.0.1) so containers can reach it, but that means host-side requests
don't look like loopback to OneCLI's auth check (which only inspects
`x-forwarded-for`, not the TCP source). Setting it ourselves opts back into
the existing local-admin bootstrap path without changing the bind address.
Refs nanocoai#1973, nanocoai#1818.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
follows-guidelines
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Description
What. Adds local-admin auto-bootstrap to setup's OneCLI step so the
onecliCLI is authenticated immediately after a fresh local-vault install.Why. On a fresh install, the OneCLI gateway starts empty and the
onecliCLI has no API key. The next setup step that callsonecli secrets create(saving the Claude OAuth token) fails withAUTH_REQUIRED, surfacing as "Couldn't complete the Claude sign-in".How it works.
setup/onecli.tsmakes aGET /api/user/api-keyrequest withx-forwarded-for: 127.0.0.1. The gateway'slocalauthMode treats that as a loopback request and runs its built-inlocal-adminbootstrap, returning anoc_…key. We persist viaonecli auth loginand addONECLI_API_KEYto.env. No-op when the CLI is already authenticated.How it was tested. Fresh privileged Proxmox LXC end-to-end:
oneclistep succeeded in 29s, Anthropic secret reached the vault, noAUTH_REQUIRED.pnpm exec tsc --noEmitclean.pnpm test197/197.Refs #1973, #1818