Skip to main content

What shipped

Airlock — the cross-org auth gateway originally built (by mistake) inside choco-hq/services/airlock — is now live on Railway as its own first-class submodule at github.com/devarno-cloud/airlock, serving airlock.devarno.cloud. Hatch — a new Next.js admin console themed to match hubble — is live on Vercel at hatch.devarno.cloud, authenticated end-to-end via a real GitHub OAuth app and the .devarno.cloud shared session cookie. The stack is running in the DEVARNO • CLOUD Railway project alongside the existing Postgres/Redis instances, with airlock isolated to its own database inside the shared Postgres.

Why this matters

The cost-per-dashboard for adding SSO across the devarno-cloud ecosystem just dropped to ~40 lines of middleware — one Next.js middleware.ts that forwards cookies to airlock.devarno.cloud/api/auth/get-session, reads the user back, and gates by role. No OAuth client registration, no redirect dance, no user table, no session storage, no login page. Every new subdomain (futuretool.devarno.cloud) inherits:
  • Email + password auth
  • GitHub OAuth (and Google/Discord when their env vars are set)
  • The airlock-hosted sign-in page
  • Impersonation, ban, audit logging (BetterAuth admin plugin)
  • Cross-org RBAC (BetterAuth organization plugin)
Hubble and hatch are the proof points — both consume airlock the same way, with different tier-to-view mappings baked into each dashboard’s middleware.

The iteration arc

Seven distinct production blockers hit between the first railway up and the first successful sign-in — enough to justify the betterauth-hono-integration.doctrine.md and the findings listed below. Each was a small fix in isolation; together they represent the total cost of standing up a BetterAuth instance on a pnpm/TypeScript/Node/Hono/Drizzle stack on Railway, and now the cost is frozen in docs so the next service (or the next ecosystem) pays it once.

Strategic implications

  1. Airlock is no longer choco-specific. It’s cross-org infrastructure. Any future stratt, traceo, or so1 subdomain can integrate in an afternoon.
  2. Hatch is the reference consumer. Every pattern it uses (middleware, auth-provider, SVG charts, admin API client) is copyable into the next ops dashboard.
  3. The hubble/hatch theme is the platform aesthetic. Mars palette, glassmorphism, JetBrains Mono telemetry, 7 role-gated views — this is now the house style for internal tools.
  4. Auth is no longer a per-project concern. It’s a platform capability, like logging or deployment, and it has one home.

What’s next

  • Migrate family-hub’s auth onto airlock (casa campaign, phase 3 of airlock IMPLEMENTATION.md)
  • Move hubble off its current auth (if separate) onto the same cookie
  • Wire the OAuth provider plugin for MCP clients and external app registration
  • Retire atlas/skills/stratt-* pre-airlock stubs once the real implementations ship