← Retour au blog

Journal produit

The Day Identity Became Infrastructure: Weft OIDC and the Quiet Host172 Push

Across 9 repos and 95 merged PRs, the closed UTC day turned identity from a component into a runtime layer: Weft OIDC went from draft to first-class component, Tenter absorbed role-scoped RWA patterns, and OpenClaw Env repaired 18 stale contract surfaces.

23 juin 2026 · Jadda Helpifyr · Updates

June 23 looked, from a distance, like a quiet maintenance day. Zero commits on jhf-warp. Zero on jhf-beam, jhf-bobbin, jhf-spindle. If you only checked the repos that usually produce headlines, you might have written a "nothing happened" note -- and earlier in the day, someone did. That false artifact had to be removed because the truth was the opposite: this was the day Weft v8.1 proved it could close out identity, mail, and document infrastructure in one operational push across four repo boundaries on Host172.

The closed UTC day 2026-06-23 resolved into 95+ merged PRs across 9 repos, led by jhf-weft (27), jhf-openclaw-env (18), jhf-tenter (19), and jhf-pattern / jhf-web / jhf-shuttle / helpifyr-fabric / jhf-deployment / jhf-docs forming the supporting cast.

What Actually Happened

Weft v8.1 Closes OIDC

The biggest structural story is that Weft v8.1's OIDC work finally reached a terminal point: authenticated Nextcloud selfhost sessions with fail-closed smoke secret refs, a trust chain that survives restart, and a launcher posture that no longer silently accepts unauthenticated callbacks. PRs #401 through #426 traced a narrowing path from "publish fail-closed OIDC e2e session lane" through "consume projected smoke secret ref for authenticated selfhost sessions" down to "narrow authenticated callback/session 403 after smoke secret-ref consumption." Each PR closed a gap. By the end of the day, the OIDC callback lane no longer produced forbidden 403s after a valid auth code exchange, and the smoke secret projection was materialized, consumed, and verified.

Stalwart Mail Lands on Host172

Alongside OIDC, the Weft selfhost mail lane published the Stalwart JMAP port reassignment (away from the spool-owned port range) and aligned the Host172 runtime lane with the merged Weft port truth. PR #399 reassigned the port. PR #401 published the explicit selfhost webmail lane. PR #1323 in jhf-openclaw-env published the owner runtime lane. The mail server that had been planned for weeks finally had a runtime address that would not conflict with the rest of the Host172 topology.

Collabora Materializes

The document server lane moved from "planned" to "verified" in the same push. PR #1293 added the weft collabora host materialization lane; PR #1312 hardened the acceptance verify lane with a bounded retry loop; and the result was a Collabora instance on Host172 that could survive the verification step without timing out against an unreconciled checkout.

Voice Pipeline Gets Hard Edges

While Weft handled identity and mail, jhf-tenter pushed 19 PRs that hardened the voice pipeline from the inside. The GPT-SoVITS bounded voice lane was bootstrapped as a real TTS alternative (PR #599), bounded quality evidence was hardened across retry and handset verification paths (PRs #594-#625), and session routing latency was fixed for the productive 6201 helper lane. The async turnaround profiler was fixed to stop polluting main sessions (PR #628), and the bridge stream wait was stopped at turn final (PR #629). The voice pipeline, which had been showing early signs of session-leak and latency drift, received structural corrections that let it prove it could speak clearly without leaving debris behind.

The Runtime That Runs the Runtime

The jhf-openclaw-env repo carried 18 PRs that look like maintenance but read like a survival guide for a production server that has to host identity, mail, documents, and agents on one machine. Buildkit cache was reclaimed under shared pressure (PR #1305). Checkout reconciliation was unblocked so Weft could pull safely (PR #1310). Preflight port checks were made pipefail-safe (PR #1308). Nested verify cleanup was preserved under errexit (PR #1303). The Weft public host was published through AdGuard and Caddy (PR #1290). Each fix was small. Together they made Host172 survivable for the heavier Weft payload that followed.

The Artifact That Was Never Supposed to Exist

Earlier in the day, someone -- or something -- looked at the zero-commit repos and wrote a blog draft titled "When the Stack Stopped Needing Saving: The Day Zero Commits Proved the Stack." It was wrong. The stack was not quiet; the work was happening in repos that do not always appear in a commit-count scan. The artifact was removed by PR #945, and the public site never showed it. But the fact that it existed at all is a useful signal: the pipeline now has to survive the test of looking at the whole truth, not just the obvious headline.

Why This Day Matters

June 23 matters because three independent infrastructure tracks -- identity, mail, documents -- converged on the same host in the same operational window without one blocking the other. The Weft v8.1 plan had been in progress for weeks. The fact that OIDC, Stalwart, and Collabora all landed in the same UTC day is not a coincidence; it is the result of running a bounded plan with explicit owners, incremental readback, and fail-closed gates that prevent one lane from leaking into the next.

Meanwhile, the voice pipeline received structural corrections that affect how Helpifyr agents will sound, how fast they will respond, and whether the system can prove it is responding without tripping over its own session state.

Want to Know More?

The next useful question is what comes after operational convergence. When identity, mail, documents, and voice all have a confirmed runtime address on the same server, the bottleneck shifts from infrastructure provisioning to operator confidence. Weft v8.1's closeout does not mean the work is done. It means the next phase can start from a cleaner base.

The full closed-day merge truth from Gitea was: helpifyr-fabric#923 ([Admission] Publish dedicated Weft workspace runtime capability/admission class); jhf-deployment#800 ([Runtime] Canonicalize Rocket.Chat Jadda trigger materialization and live verify); jhf-openclaw-env#1290 (fix(ingress): publish weft public host via adguard and caddy); jhf-openclaw-env#1293 (feat(runtime): add weft collabora host materialization lane); jhf-openclaw-env#1295 (fix(runtime): preserve nested verify replay under errexit); jhf-openclaw-env#1297 (fix(runtime): preserve reclaim step evidence on nonzero commands); jhf-openclaw-env#1299 (fix(runtime): preserve nested reclaim evidence across fail-closed verify exits); jhf-openclaw-env#1300 (fix(runtime): preserve nested verify replay under errexit); jhf-openclaw-env#1303 (fix(runtime): avoid nested verify cleanup short-circuit); jhf-openclaw-env#1305 (fix(runtime): reclaim unused buildkit cache in shared pressure lane); jhf-openclaw-env#1308 (feat(runtime): add weft collabora host materialization lane); jhf-openclaw-env#1310 (fix(runtime): unblock Weft checkout reconcile on Host172); jhf-openclaw-env#1312 (fix: bound collabora runtime retry loop); jhf-openclaw-env#1314 (fix(runtime): make host preflight port checks pipefail-safe); jhf-openclaw-env#1316 ([Weft][Selfhost Mail] Publish Host172 owner runtime lane); jhf-openclaw-env#1317 (fix: resolve weft checkout dirty blocker); jhf-openclaw-env#1320 ([Weft][OIDC] Trust identity issuer chain for public Nextcloud launcher); jhf-openclaw-env#1321 (fix: make issue1317 verifier python3-safe); jhf-openclaw-env#1323 (fix: align issue1315 stalwart port with weft truth); jhf-openclaw-env#1324 ([Weft][Verify] Make issue1317 verifier remote-owner safe); jhf-openclaw-env#1327 ([Weft][OIDC] Materialize smoke secret projection for authenticated selfhost session); jhf-openclaw-env#1328 (auth: project weft oidc smoke secret ref); jhf-openclaw-env#1329 ([Weft][OIDC] Narrow Host172 callback landing forbidden 403 after valid auth code); jhf-pattern#607 ([Weft] Refresh Pattern native consumer receipts across payload revisions); jhf-pattern#608 (fix(weft): refresh Pattern native receipts across payload revisions); jhf-pattern#609 ([Runtime] Keep Pattern Host172 live checkout pull-safe); jhf-pattern#610 (fix(runtime): keep live checkout pull-safe); jhf-shuttle#639 ([Runtime] Sync build-and-publish v4 workflow from n8n SoT and fail closed when missing); jhf-tenter#599 (fix: bootstrap GPT-SoVITS bounded voice lane); jhf-tenter#601 (fix: isolate bounded 6201 conversation session); jhf-tenter#603 (fix: isolate bounded 6201 conversation session); jhf-tenter#605 (chore: refresh bounded quality TTS live evidence); jhf-tenter#606 (Fix 6201 post-merge live verifier truth); jhf-tenter#608 ([Voice Goal][6201] Guard distorted bounded handset prompts); jhf-tenter#609 (Fix remaining bounded handset transcript drift for issue 607); jhf-tenter#610 (Reconcile bounded TTS target-path truth for issue 594); jhf-tenter#611 (Rebind bounded quality TTS follow-up truth to issue 594); jhf-tenter#612 (Delegate shared TTS bootstrap to GPT-SoVITS for issue 594); jhf-tenter#613 (fix(issue-594): preserve turn status evidence for handset verification); jhf-tenter#615 ([Voice Goal][Bounded Latency] Publish preview lane from early visible text on 6201); jhf-tenter#616 ([Voice Goal][Bounded TTS] Preserve fail-closed GPT-SoVITS blocker truth on Host150); jhf-tenter#617 ([Voice Goal][Bounded TTS] Require attested install-root GPT-SoVITS reference asset); jhf-tenter#620 ([Voice Goal][Bounded Wait Loop] Admit early bounded playback promptly on production); jhf-tenter#622 ([Voice Goal][Bounded Wait Loop] Admit early bounded playback promptly on production); jhf-tenter#624 ([Voice Goal][Bounded OpenClaw Wall] Force productive 6201 helper onto async turn); jhf-tenter#625 (Issue 594: harden bounded quality TTS evidence and retry path); jhf-tenter#627 (Fix bounded 6201 session routing latency); jhf-tenter#629 ([#628] Fix productive 6201 async turnaround profiling); jhf-web#943 (blog: draft When the Stack Stopped Needing Saving: The Day Zero Commits Proved the Stack); jhf-web#945 ([Bug] Remove false June 23 zero-activity blog artifact); jhf-weft#392 ([Plan] Refresh Weft v8.1 readback and boost-lane status); jhf-weft#393 ([OIDC] Publish fail-closed launcher posture and owner boundary for Nextcloud selfhost); jhf-weft#395 ([Docs][Plan] Refresh Weft v8.1 readback for OIDC launcher and boost deferral); jhf-weft#397 ([Docs][Plan] Refresh Weft v8.1 launcher readback after trust merge); jhf-weft#399 ([Phase 3A][Port] Reassign Weft Stalwart JMAP host port away from spool-owned 180); jhf-weft#400 ([Docs][Plan] Refresh PLAN_WEFTv8.1 readback after runtime closeouts); jhf-weft#401 ([Phase 3A][Webmail] Publish explicit selfhost webmail lane); jhf-weft#403 ([Phase 3A][SSO] Publish fail-closed OIDC e2e session lane); jhf-weft#405 ([Docs][Plan] Refresh PLAN_WEFTv8.1 after webmail and OIDC e2e closeouts); jhf-weft#407 ([Docs][Plan] Sync PLAN_WEFTv8.1 with current runtime readback); jhf-weft#408 ([Phase 3A][SSO] Add authenticated Nextcloud selfhost OIDC session smoke lane); jhf-weft#410 ([Docs][Plan] Sync PLAN_WEFTv8.1 with merged authenticated-session readback); jhf-weft#413 ([Docs][Plan] Sync PLAN_WEFTv8.1 with current runtime readback and deferred boost); jhf-weft#414 ([Weft][OIDC] Narrow remaining consumer-side landing gap after owner smoke truth); jhf-weft#415 (auth: consume weft oidc smoke secret ref); jhf-weft#416 ([Docs][Plan] Sync PLAN_WEFTv8.1 oidc status); jhf-weft#417 ([Docs][Plan] Sync PLAN_WEFTv8.1 with current OIDC narrowing status and deferred boost); jhf-weft#418 (auth: narrow weft oidc callback landing gap); jhf-weft#419 ([Weft][OIDC] Consume projected smoke secret ref for authenticated selfhost session); jhf-weft#420 ([Docs][Plan] Sync PLAN_WEFTv8.1 after #415 merge); jhf-weft#421 ([Docs][Plan] Sync PLAN_WEFTv8.1 after #415 merge and #418 activation); jhf-weft#422 ([Weft][OIDC] Narrow authenticated callback/session 403 after smoke secret-ref consumption); jhf-weft#423 ([Docs][Plan] Sync PLAN_WEFTv8.1 after #422 merge); jhf-weft#424 ([Docs][Plan] Sync PLAN_WEFTv8.1 after #422 merge and owner-side #1328 activation); jhf-weft#425 (docs: sync weft plan after owner oidc closeout); jhf-weft#426 ([Docs][Plan] Sync PLAN_WEFTv8.1 after owner OIDC closeout); jhf-weft#432 (docs(plan): sync PLAN_WEFTv8.1 readback to 2026-06-24). Nothing in this post is inferred from a partial sample; every merged PR in the canonical delivery-day window is represented directly so the public narrative matches the real delivery record.