Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions .github/workflows/publish-edge-totp.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
name: Publish edge-totp

on:
workflow_dispatch:
push:
branches:
- feature/saml-app
paths:
- 'edge-totp/**'
Comment thread
godronus marked this conversation as resolved.

jobs:
build_and_publish:
name: Build and publish edge-totp
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Import credentials from Vault
uses: hashicorp/vault-action@v3
id: creds
with:
url: https://puppet-vault.gc.onl
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/project_fastedge/harbor-robot-account username | HARBOR_LOGIN ;
secret/project_fastedge/harbor-robot-account password | HARBOR_PASSWORD ;
secret/project_fastedge/gcore_api/preprod/token token | PREPROD_API_KEY ;
secret/project_fastedge/gcore_api/preprod/hostname url | PREPROD_API_URL ;
secret/project_fastedge/gcore_api/prod/token token | PROD_API_KEY ;
secret/project_fastedge/gcore_api/prod/hostname url | PROD_API_URL ;

- name: Login to Harbor and pull compiler
uses: ./.github/setup-harbor-pull
with:
harbor_login: ${{ steps.creds.outputs.HARBOR_LOGIN }}
harbor_password: ${{ steps.creds.outputs.HARBOR_PASSWORD }}

- name: Setup Node.js and install dependencies
uses: ./.github/setup-node
with:
working_directory: edge-totp

# --- Unit tests (no wasm needed — fast gate before any build) ---

- name: Unit tests
working-directory: edge-totp
run: pnpm -C otp-app test

# --- TypeScript app ---

- name: Build TS WASM
working-directory: edge-totp
run: pnpm -C otp-app build

# --- Rust filter ---

- name: Build Rust filter
uses: ./.github/build-rust
with:
rust_package: totp-filter
working_directory: edge-totp/otp-filter
output_path: edge-totp/otp-filter/wasm/totp-filter.wasm

# --- Filter tests (require compiled wasm) ---

- name: Filter tests
working-directory: edge-totp
run: pnpm -C otp-filter test

# --- Deploy ---
# preprod: always (workflow_dispatch or push to feature/saml-app)
# prod: push to main only

- name: Read totp-app registry
id: totp-app
run: |
echo "descr=$(jq -r '.description' edge-totp/otp-app/registry.json)" >> "$GITHUB_OUTPUT"
echo "params=$(jq -c '.params' edge-totp/otp-app/registry.json)" >> "$GITHUB_OUTPUT"

- name: Deploy totp-app to preprod
uses: gcore-github-actions/fastedge/deploy-template@v1
with:
api_key: ${{ steps.creds.outputs.PREPROD_API_KEY }}
api_url: ${{ steps.creds.outputs.PREPROD_API_URL }}
wasm_file: edge-totp/otp-app/dist/totp-app.wasm
template_name: totp-app
short_descr: ${{ steps.totp-app.outputs.descr }}
params: ${{ steps.totp-app.outputs.params }}

- name: Deploy totp-app to prod
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: gcore-github-actions/fastedge/deploy-template@v1
with:
api_key: ${{ steps.creds.outputs.PROD_API_KEY }}
api_url: ${{ steps.creds.outputs.PROD_API_URL }}
wasm_file: edge-totp/otp-app/dist/totp-app.wasm
template_name: totp-app
short_descr: ${{ steps.totp-app.outputs.descr }}
params: ${{ steps.totp-app.outputs.params }}

- name: Read totp-filter registry
id: totp-filter
run: |
echo "descr=$(jq -r '.description' edge-totp/otp-filter/registry.json)" >> "$GITHUB_OUTPUT"
echo "params=$(jq -c '.params' edge-totp/otp-filter/registry.json)" >> "$GITHUB_OUTPUT"

- name: Deploy totp-filter to preprod
uses: gcore-github-actions/fastedge/deploy-template@v1
with:
api_key: ${{ steps.creds.outputs.PREPROD_API_KEY }}
api_url: ${{ steps.creds.outputs.PREPROD_API_URL }}
wasm_file: edge-totp/otp-filter/wasm/totp-filter.wasm
template_name: totp-filter
short_descr: ${{ steps.totp-filter.outputs.descr }}
params: ${{ steps.totp-filter.outputs.params }}

- name: Deploy totp-filter to prod
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: gcore-github-actions/fastedge/deploy-template@v1
with:
api_key: ${{ steps.creds.outputs.PROD_API_KEY }}
api_url: ${{ steps.creds.outputs.PROD_API_URL }}
wasm_file: edge-totp/otp-filter/wasm/totp-filter.wasm
template_name: totp-filter
short_descr: ${{ steps.totp-filter.outputs.descr }}
params: ${{ steps.totp-filter.outputs.params }}
4 changes: 3 additions & 1 deletion CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ template to adapt it to their needs.
|---|---|
| `html2md/` | Proxy-WASM filter: converts HTML origin responses to Markdown on `Accept: text/markdown` |
| `edge-sso/` | Multi-provider SSO bolt-on (Google, GitHub, Microsoft, Facebook, SAML) — three delivery variants: gate-only, cookie, header |
| `edge-totp/` | Edge TOTP MFA bolt-on — adds RFC 6238 two-factor auth in front of an existing login; HTTP app (otp-app) + Rust proxy-wasm enforcement filter (otp-filter) |

## Repo Structure

Expand All @@ -27,7 +28,8 @@ FastEdge-templates/
├── assets/ ← shared marketing assets (deploy buttons, etc.)
├── .github/workflows/ ← CI/CD: builds and publishes all templates to Gcore portal
├── html2md/ ← standalone Rust/WASM template
└── edge-sso/ ← standalone mixed Rust+TypeScript SSO template
├── edge-sso/ ← standalone mixed Rust+TypeScript SSO template
└── edge-totp/ ← standalone mixed Rust+TypeScript TOTP MFA template
```

## Standalone Principle
Expand Down
9 changes: 9 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,15 @@ backend. Comes in three delivery variants:

See [`edge-sso/README.md`](edge-sso/README.md) for details.

### edge-totp

Edge TOTP MFA bolt-on — adds RFC 6238 two-factor authentication in front of a customer's
existing login without changing the backend. The customer's origin handles password
validation and hands off to the edge app for the OTP challenge, which issues a signed
session cookie that a paired CDN filter enforces on every protected request.

See [`edge-totp/README.md`](edge-totp/README.md) for details.

## License

Apache-2.0. See [`LICENSE`](LICENSE).
150 changes: 150 additions & 0 deletions edge-totp/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov

# Coverage directory used by tools like istanbul
coverage
*.lcov

# nyc test coverage
.nyc_output

# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
.grunt

# Bower dependency directory (https://bower.io/)
bower_components

# node-waf configuration
.lock-wscript

# Compiled binary addons (https://nodejs.org/api/addons.html)
build/Release

# Dependency directories
node_modules/
jspm_packages/

# Snowpack dependency directory (https://snowpack.dev/)
web_modules/

# TypeScript cache
*.tsbuildinfo

# Optional npm cache directory
.npm

# Optional eslint cache
.eslintcache

# Optional stylelint cache
.stylelintcache

# Optional REPL history
.node_repl_history

# Output of 'npm pack'
*.tgz

# Yarn Integrity file
.yarn-integrity

# dotenv environment variable files
.env
.env.*
!.env.example

# parcel-bundler cache (https://parceljs.org/)
.cache
.parcel-cache

# Next.js build output
.next
out

# Nuxt.js build / generate output
.nuxt
dist
.output

# Gatsby files
.cache/
# Comment in the public line in if your project uses Gatsby and not Next.js
# https://nextjs.org/blog/next-9-1#public-directory-support
# public

# vuepress build output
.vuepress/dist

# vuepress v2.x temp directory
.temp

# Sveltekit cache directory
.svelte-kit/

# vitepress build output
**/.vitepress/dist

# vitepress cache directory
**/.vitepress/cache

# Docusaurus cache and generated files
.docusaurus

# Serverless directories
.serverless/

# FuseBox cache
.fusebox/

# DynamoDB Local files
.dynamodb/

# Firebase cache directory
.firebase/

# TernJS port file
.tern-port

# Stores VSCode versions used for testing VSCode extensions
.vscode-test

# pnpm
.pnpm-store

# yarn v3
.pnp.*
.yarn/*
!.yarn/patches
!.yarn/plugins
!.yarn/releases
!.yarn/sdks
!.yarn/versions

# Vite files
vite.config.js.timestamp-*
vite.config.ts.timestamp-*
.vite/

# FastEdge build artifacts
*.wasm
/wasm/
/otp-app/wasm/
/otp-filter/target/
/build/
38 changes: 38 additions & 0 deletions edge-totp/AGENTS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
doc_type: policy
audience: bot
lang: en
tags: ["ai-agents", "rules", "critical", "codex"]
last_modified: 2026-06-15T00:00:00Z
copyright: "© 2026 gcore.com"
---

# RULES FOR AI AGENTS

TL;DR: Keep command output short. Do not take actions unless asked.
Do not waste tokens on experiments. Do only what is asked.

# COMMUNICATION STYLE

- Use English by default; if the user writes in another language, use that language
- Use an informal tone, avoid formal business language
- Question ideas and suggest alternatives — do not just agree with everything
- Think for yourself instead of agreeing to be polite

# INVARIANTS

- NEVER do anything beyond the assigned task
- NEVER change code that was not asked to change
- NEVER "improve" or "optimize" without a clear request
- NEVER use scripts for mass code replacements
- NEVER make architecture decisions on your own
- ALWAYS keep command output short — every extra line = wasted tokens
- ALWAYS think before acting — do not repeat checks, remember context
- ALWAYS ask an expert when the solution is not clear
- ALWAYS tell apart an observation from an action request:
observation ("works oddly") → discuss, DO NOT fix
request ("fix this") → act

# PROJECT CONTEXT

see CLAUDE.md
Loading