File size: 3,220 Bytes
4c04b37
 
b685ee3
4c04b37
b685ee3
4c04b37
 
b685ee3
4c04b37
b685ee3
 
 
 
 
 
 
 
 
4c04b37
 
b685ee3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
title: Agentic Space Factory
emoji: 🏭
colorFrom: blue
colorTo: purple
sdk: gradio
app_file: app.py
python_version: "3.11"
pinned: false
hf_oauth: true
hf_oauth_expiration_minutes: 480
hf_oauth_scopes:
  - read-repos
  - write-repos
  - manage-repos
  - gated-repos
  - inference-api
  - jobs
---

# Agentic Space Factory — V2 Foundation

This version validates the safe foundation for a Hugging Face-native “Agentic Space Factory”.

It now supports two phases:

```text
Phase 1:
Gradio Space OAuth user
→ launch Hugging Face Job with the user's OAuth token
→ mount private Storage Bucket
→ write run state/events/report
→ read run status back in the orchestrator UI

Phase 2.1:
Gradio Space OAuth user
→ launch Hugging Face Job
→ create private target Gradio Space in the user's namespace
→ upload app.py / requirements.txt / README.md
→ validate the live Space through gradio_client
→ write run state/events/report to the Bucket
```

The configured bucket is:

```text
hf://buckets/fffiloni/space-factory-runs
```

## What this version does

- Enables Hugging Face OAuth in a Gradio Space.
- Requests the `jobs` scope, plus repo/inference scopes needed by later phases.
- Launches CPU Hugging Face Jobs using `huggingface_hub.run_job`.
- Mounts `fffiloni/space-factory-runs` as `/output` in the Job.
- Passes the OAuth token to the Job as an encrypted secret, not as a CLI argument.
- Phase 1 writes these files in the bucket:

```text
runs/<run_id>/state.json
runs/<run_id>/events.jsonl
runs/<run_id>/report.md
```

- Phase 2.1 additionally creates a private target Space and stores:

```text
runs/<run_id>/target_space.json
runs/<run_id>/generated/app.py
runs/<run_id>/generated/requirements.txt
runs/<run_id>/generated/README.md
runs/<run_id>/tests/api_schema.json
runs/<run_id>/tests/test_result.json
```

## What this version does not do yet

- It does not run Pi yet.
- It does not analyze model cards yet.
- It does not configure ZeroGPU yet.
- It does not publish anything publicly.
- It does not overwrite existing target Spaces.

Those are intentionally left for the next increments once OAuth → Jobs → Bucket → private Space creation → live API validation is confirmed.

## Configuration

Default values are in `src/config.py`.

You can override them with Space variables:

```bash
SPACE_FACTORY_BUCKET_SOURCE=fffiloni/space-factory-runs
SPACE_FACTORY_BUCKET_MOUNT=/output
SPACE_FACTORY_JOB_FLAVOR=cpu-basic
SPACE_FACTORY_JOB_TIMEOUT=15m
SPACE_FACTORY_JOB_IMAGE=python:3.12
```

For Phase 2.1, a 15-minute timeout is usually enough for a tiny Gradio Space. Increase it if Space builds are slow.

## Local notes

OAuth injection only works inside a Hugging Face Space with `hf_oauth: true`.
For local UI development, the app can render, but launching a Job requires a real OAuth token passed by Gradio in a Space.

## Security posture

- No global admin token is required.
- The user's OAuth token is used only to launch the Job and is passed to the Job as a secret.
- The worker script never prints the token.
- The target bucket should remain private.
- Phase 2.1 target Spaces are private by default.
- Raw traces and future Pi sessions must stay private by default.