Hive

# Hive At Tuist we've reimagined how we shape and build product by leaning into LLMs and agentic workflows, and Hive is our take on it. It's built to run inside our own team and equally to be opened up to the people who use your products. Hive is licensed under [MPL-2.0](LICENSE.md). We don't offer it as a managed service, but you can try our own instance at , or self-host your own. ## Self-hosting ### Visibility `HIVE_VISIBILITY` controls who can reach the dashboard: - `public` (default): anyone can use the instance without logging in. - `private`: routes are gated behind login; only authenticated users (passing any configured provider's domain allowlist) can access them. ### Authentication Hive's login is available regardless of visibility (so admins can sign in to a public instance). Auth is delegated to [Ueberauth] + [ueberauth_oidcc]; any number of providers can be enabled simultaneously and will appear as buttons on the login screen. [Ueberauth]: https://github.com/ueberauth/ueberauth [ueberauth_oidcc]: https://github.com/erlef/ueberauth_oidcc #### Google - `HIVE_GOOGLE_CLIENT_ID` - `HIVE_GOOGLE_CLIENT_SECRET` - `HIVE_GOOGLE_ALLOWED_DOMAINS` (optional, comma-separated list of email domains to accept; e.g. `tuist.dev`). When a single domain is set, the authorize redirect also includes Google's `hd=` hint to pre-filter the account picker. The check is enforced on the callback regardless. Callback URL: `/auth/google/callback` on the deployed host. #### Generic OpenID Connect Any OIDC provider with a `.well-known/openid-configuration` endpoint: - `HIVE_OIDC_ISSUER`: the issuer base URL. Hive's auth client discovers authorize/token/userinfo endpoints from `/.well-known/openid-configuration`. - `HIVE_OIDC_CLIENT_ID` - `HIVE_OIDC_CLIENT_SECRET` (optional) - `HIVE_OIDC_DISPLAY_NAME` (optional, label on the login button; defaults to "Identity provider") - `HIVE_OIDC_ALLOWED_DOMAINS` (optional, comma-separated allowlist) Callback URL: `/auth/oidc/callback` on the deployed host. #### Setting up Google OAuth 1. Open in the Google Cloud project you want to use. 2. Configure the OAuth consent screen (User type **Internal** for a workspace, **External** otherwise; scopes `openid`, `profile`, `email`). 3. **Create Credentials → OAuth client ID → Web application**. 4. Add the **Authorized redirect URI** for each environment, e.g. `https://hive.example.com/auth/google/callback`. 5. Copy the Client ID and Client Secret into `HIVE_GOOGLE_CLIENT_ID` and `HIVE_GOOGLE_CLIENT_SECRET`. ### Deployment The Helm chart in `infra/helm/hive` is generic, so anyone can deploy their own Hive instance with it. The defaults assume no External Secrets Operator, no image pull secret, and no S3 backup; you bring your own Kubernetes Secret for `SECRET_KEY_BASE` (and any OAuth credentials) and point at it via `secrets.existingSecret`, then `helm upgrade --install`. Minimum bring-your-own setup: ```bash kubectl create namespace hive kubectl -n hive create secret generic hive-app \ --from-literal=SECRET_KEY_BASE="$(mix phx.gen.secret)" \ --from-literal=HIVE_GOOGLE_CLIENT_ID="..." \ --from-literal=HIVE_GOOGLE_CLIENT_SECRET="..." helm upgrade --install hive infra/helm/hive \ --namespace hive \ --set host=hive.example.com \ --set env.HIVE_VISIBILITY=private \ --set env.HIVE_GOOGLE_ALLOWED_DOMAINS=example.com ``` If you run External Secrets Operator, enable `externalSecrets.enabled` and provide `storeRef` + `items` pointing at your backend (Vault, AWS Secrets Manager, 1Password, etc.) in your own values overlay.