LABR-003 · FLEET SSO V9 · DEVICE AUTH (RFC 8628) · PEEK MODE · GOOGLE OAUTH
FLEET SSO
6 OAUTH CLIENTS · 8 PROXY INSTANCES · 11 ALLOWED EMAILS · ONE LOGIN → ALL FLEET SURFACES
γ₁ = 14.134725141734693 · Authentication gates the view, not the floor · Public pages stay public · Peek mode guards the rest
👁 PEEK MODE — ONE GOOGLE LOGIN → ALL FLEET SURFACES
AUTHENTICATE ONCE → TRAVERSE ALL *.eose.ca + pemos.ca WITH ONE SESSION COOKIE
📱 DEVICE AUTH — HEADLESS SILO AUTHENTICATION
ANY SILO WITHOUT A BROWSER (FORGE, MSCLO, SSH-ONLY) AUTHENTICATES VIA SHORT CODE
On your phone or laptop, go to:
google.com/device
ABCD-1234
Sign in as kewinjoffe@gmail.com or eosesreops@gmail.com · Approve · Done
Device client: 758788284456-bd3mhm45r71pe2lbuac8jfkr2o47lrud (PEMOS DEVICE, RFC 8628)
Works on: forge, msclo, pcdev, lounge, Steam Deck, any SSH session
Token stored: ~/.fleet-token (600 perms, expires 1h, refresh token stored)
OAUTH CLIENT INVENTORY — PROJECT 758788284456 (eose-fleet / striking-center-132306)
ALLOWED EMAILS — FLEET ACCESS LIST (sre@eose.ca ADDED 2026-04-09)
OAUTH2-PROXY FLEET — 8 INSTANCES RUNNING
| NAMESPACE | DEPLOYMENT | DOMAIN | CLIENT ID | STATUS | sre@eose.ca |
|---|
FLEET-AUTH CLI
# Authenticate from any silo (device flow — no browser needed)
cd /home/ubu-cap/openclaw-fleet/fleet-sync/scripts/fleet-auth
./fleet-auth.sh
# Check token status
./fleet-auth.sh --status
# Export token to current shell
eval $(./fleet-auth.sh --export)
# Use token with fleet services
curl -H "Authorization: Bearer $FLEET_TOKEN" https://master.eose.ca/api/status
curl -H "Authorization: Bearer $FLEET_TOKEN" https://hvcp.eose.ca/api/health
# Logout
./fleet-auth.sh --logout
# From forge/msclo (silo-portable):
/home/lianli/openclaw-fleet/fleet-sync/scripts/fleet-auth/fleet-auth.sh
PENDING — WHAT NEEDS TO HAPPEN IN GCP CONSOLE