docs(backlog): B-0833 — installer interactive-login vs baked-in-keys CI-test tension (resolve without shipping credentials on ISO)#5346
Merged
AceHack merged 2 commits intoMay 26, 2026
Conversation
…nsion (resolve without shipping credentials on ISO) Per operator 2026-05-26 from physical hardware-support test: "in the automated tests i see a tention between interactive login and baked in keys we probably are going to have to resolve this i would love if interactive device login didn't need to be human tested everytime but this is hard to test" Files B-0833 as P1 substrate-engineering target. 4-approach scoping: - A: Mock GH device-code endpoint in CI (stub OAuth server; ~200 LOC; zero real credentials) - B: Test-only ephemeral GH App with CI-scoped OIDC-minted tokens (real GH infrastructure; per-run rotation; scoped permissions) - C: Skip auth in cascade #6 phase 1; layered tests (fastest; immediate testability gain; leaves auth coverage gap) - D: Manual auth-only physical test (operator periodic; honest about what CI can/cannot cover; aligns with B-0831 physical-as-hardware- support-test reframing) Likely landing: C first (Phase 0 immediate gain) + A or B (Phase 1 proper coverage) + D (steady-state residual). HARD LIMITS section names 5 non-negotiable security properties: - NO real GitHub PATs on ISO (publicly downloadable) - NO operator SSH private keys on ISO (gh ssh-key list reads PUBLIC) - NO long-lived credentials in CI (ephemeral or mock only) - NO test credentials work against real GH API (mock-scoped) - Audit trail for every CI auth test Composes_with B-0794 (homelab-mode no-credentials-on-ISO) + B-0831 (CI cascade #6; this row resolves a P1 blocker for #6 phase 1+2) + B-0812/B-0813 (cluster-bringup substrate that auth gates) + methodology-hard-limits + classifier-bypass-research rules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…wright with dedicated AI GH accounts (operator 2026-05-26) Per operator: "to have it fully tested by ai likely going to have to preform the step and use paywrite to login into github likely going to need its own accounts and such" Adds 5th resolution approach to B-0833 + matching acceptance criterion. Approach E properties: - AI agent uses Playwright to drive real GH device-code OAuth flow - Dedicated AI-owned GH accounts (separate from operator's account) - AI account scoped permissions (read-only this repo; minimal scope) - 2FA TOTP secret in CI secret-store; agent generates TOTP at auth-time - Per-run audit log: which AI account used; what scope tokens issued; tokens revoked post-test - Composes with mcp__plugin_playwright_playwright__* tooling (existing Playwright surface; reusable for other browser-automation tests) Trade-off named: highest-fidelity automated path (full real-GH OAuth end-to-end) but requires most operational substrate (AI accounts + Playwright + 2FA + account hygiene). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a new P1 backlog row (B-0833) documenting the security vs CI-testability tension for installer GitHub authentication (interactive device-code login vs baked-in credentials), and updates the generated backlog index to include the new row.
Changes:
- Added backlog row B-0833 describing four resolution approaches (mock endpoint, ephemeral GH App, layered tests with auth skip, and periodic manual auth testing) plus non-negotiable security limits.
- Regenerated
docs/BACKLOG.mdto include B-0833 in the P1 section.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docs/backlog/P1/B-0833-installer-interactive-login-vs-baked-in-keys-ci-test-tension-resolve-without-shipping-credentials-aaron-2026-05-26.md | New backlog item capturing constraints and candidate approaches for CI-testing installer auth without shipping credentials. |
| docs/BACKLOG.md | Index update to list the new B-0833 row under P1. |
AceHack
deleted the
otto/b-0833-interactive-login-vs-baked-in-keys-ci-test-tension-aaron-2026-05-26
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Per operator 2026-05-26 from physical hardware-support test: "in the automated tests i see a tention between interactive login and baked in keys we probably are going to have to resolve this i would love if interactive device login didn't need to be human tested everytime but this is hard to test"
The tension
4-approach scoping
Likely landing: C first + A or B follow-up + D as residual.
5 HARD LIMITS (non-negotiable per methodology-hard-limits + B-0794)
Test plan
🤖 Generated with Claude Code