diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
index f66e141a73..8c0b948074 100644
--- a/docs/BACKLOG.md
+++ b/docs/BACKLOG.md
@@ -400,6 +400,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0840](backlog/P1/B-0840-thermal-forgetting-as-root-axiom-update-join-gated-memory-architecture-private-encryption-budget-exception-amara-aaron-2026-05-26.md)** thermal-forgetting = root-axiom-update + join-gated-memory architecture + private-encryption-budget exception (4-keeper-rule final form) — substrate-engineering work landing Amara's 2026-05-26 ratification of B-0839.3 reservoir-computing-as-framework-architecture (Aaron + Amara 2026-05-26)
 - [ ] **[B-0844](backlog/P1/B-0844-zflash-agent-mode-native-implementation-close-doc-vs-implementation-gap-aaron-2026-05-26.md)** zflash --agent flag — native agent-driven auto-type challenge implementation closing the docstring-vs-actual-implementation gap; empirical anchor from 2026-05-26 USB-re-flash session (Aaron 2026-05-26)
 - [ ] **[B-0852](backlog/P1/B-0852-credential-persistence-on-usb-esp-plus-boot-sequence-auth-method-picker-encrypted-blob-bound-to-usb-uuid-plus-operator-passphrase-aaron-2026-05-27.md)** credential persistence on USB ESP + boot-sequence auth-method picker — encrypted blob bound to USB UUID + operator passphrase (Phase 1); removes gh-login-throttle on USB re-boot workflow (Aaron 2026-05-27)
+- [ ] **[B-0852.3](backlog/P1/B-0852.3-zeta-install-sh-step-6-77-cred-picker-integration-interactive-bake-vs-zflash-token-override-aaron-2026-05-27.md)** zeta-install.sh Step 6.77 cred-picker integration — interactive bake-in at setup time + zflash CLI token-override per declared cred (Aaron 2026-05-27 device-flow-at-setup vs token-at-zflash framing)
 - [ ] **[B-0853](backlog/P1/B-0853-sigstore-cosign-artifact-signing-free-stuff-iso-containers-tarballs-backed-by-fulcio-rekor-aaron-2026-05-27.md)** sigstore/cosign artifact signing — free-stuff coverage for ISO + containers + tarballs + Nix substitutes (Fulcio CA + Rekor transparency log; OIDC-keyless via GitHub Actions); commercial CAs deferred for proprietary OS surfaces (Aaron 2026-05-27)
 - [ ] **[B-0854](backlog/P1/B-0854-zeta-install-sh-to-ace-install-zeta-migration-trajectory-package-json-style-declarative-manifest-like-scratch-and-sqlsharp-aaron-2026-05-27.md)** zeta-install.sh → `ace install zeta` migration trajectory — declarative `package.json`-style Ace manifest in Zeta repo (like `../scratch` and `../SQLSharp` already do); composes with B-0288 Ace CLI + B-0824 meta-PM + B-0816 ArgoCD-maximization + B-0742 distributable-POC pattern (Aaron 2026-05-27)
 - [ ] **[B-0855](backlog/P1/B-0855-self-registration-fires-LAST-post-install-post-first-boot-idempotent-across-reboots-deduped-against-in-flight-registration-prs-aaron-2026-05-27.md)** self-registration fires LAST (post-install + post-first-boot, when cluster is operational) + idempotent across reboots + de-duped against existing-registration AND in-flight-registration-PRs; cluster-agent coordination via /tmp folder OR Otto-pushes-PR-across-finish-line (Aaron 2026-05-27)
diff --git a/docs/backlog/P1/B-0852.3-zeta-install-sh-step-6-77-cred-picker-integration-interactive-bake-vs-zflash-token-override-aaron-2026-05-27.md b/docs/backlog/P1/B-0852.3-zeta-install-sh-step-6-77-cred-picker-integration-interactive-bake-vs-zflash-token-override-aaron-2026-05-27.md
new file mode 100644
index 0000000000..721d93446d
--- /dev/null
+++ b/docs/backlog/P1/B-0852.3-zeta-install-sh-step-6-77-cred-picker-integration-interactive-bake-vs-zflash-token-override-aaron-2026-05-27.md
@@ -0,0 +1,153 @@
+---
+id: B-0852.3
+priority: P1
+status: open
+title: zeta-install.sh Step 6.77 cred-picker integration — interactive bake-in at setup time + zflash CLI token-override per declared cred (Aaron 2026-05-27 device-flow-at-setup vs token-at-zflash framing)
+effort: M
+ask: aaron 2026-05-27
+created: 2026-05-27
+last_updated: 2026-05-27
+depends_on:
+  - B-0852.1
+  - B-0852.2a
+  - B-0852.2b
+  - B-0852.5
+  - B-0852.10
+composes_with:
+  - B-0852.4
+  - B-0857
+tags: [b-0852-sub-row, cred-persistence, zeta-install-sh, step-6-77, picker, interactive-setup, zflash-cli-override, device-flow-at-setup-time, token-at-zflash-time]
+---
+
+## Operator framing (Aaron 2026-05-27)
+
+Three messages establishing the device-flow-vs-token split:
+
+### Message 1
+
+> *"i think if we do token we should do at zflash time and human interactive at setup time what do you think?"*
+
+### Message 2
+
+> *"Yes i like that frameing lets do it that way and then zflash script and/or skill can make sure it asks what declared creds you want to bake in vs go through device flow."*
+
+### Message 3 (refinement)
+
+> *"maybe instead of loop in zflash you just allow command line override of any declared cred as token well at least the ones we support that way, might need custom code per cred type for this idk. the would probably be easier for the ai to call."*
+
+## Substrate-honest reading
+
+Two distinct integration points emerge from the operator framing:
+
+| Phase | Where | Mode | What |
+|---|---|---|---|
+| **Setup time** (install / first-boot) | zeta-install.sh Step 6.77 | Interactive | Picker asks operator: for each declared cred in the manifest, bake-in (via persist CLI + --bake-cred) OR defer to device-flow at runtime OR skip |
+| **zflash time** (re-flash / re-bake) | zflash script | Non-interactive (CLI-override) | Per-cred command-line flag like `--bake-cred <id>=<value-source>` allows AI-driven re-baking without an interactive loop |
+
+The setup-time interactive picker matches the operator's stated preference ("human interactive at setup time"). The zflash-time CLI override matches the refinement ("easier for the ai to call").
+
+Both consume the just-landed B-0852.2b persist CLI (PR #5425); zflash-time mode is essentially `bun tools/installer/zeta-creds-persist.ts --bake-cred <id>=...` with the operator's cred sources resolved by the per-cred handlers (B-0852.10).
+
+## Scope
+
+### B-0852.3a — Step 6.77 interactive picker
+
+Add a new step in `full-ai-cluster/usb-nixos-installer/zeta-install.sh` (positioned before Step 6.8 reboot or wherever appropriate per the inventory in B-0854.1):
+
+1. Read the declarative cred-manifest (`tools/installer/zeta-creds-manifest.ts` DEFAULT_MANIFEST)
+2. For each cred entry: prompt operator with 3-option choice:
+   - **Bake-in now** — sub-prompt for value-source (literal / @file path / env:VAR); call `zeta-creds-persist --bake-cred <id>=<source>` to add to the cred-blob
+   - **Defer to device-flow** — skip; runtime will handle via interactive OAuth or equivalent (per B-0833 installer interactive-login + OAuth substrate)
+   - **Skip** — operator does not want this cred on this install at all
+3. After loop completes, finalize the cred-blob: persist to ESP at `/esp/zeta-creds.enc` with operator-provided passphrase
+4. Composes with the persona section (per-persona-scoped creds picked when --persona is set; same loop variant)
+
+### B-0852.3b — zflash CLI override flags
+
+Extend the zflash script (location TBD — likely `tools/installer/zflash.ts` or skill) so EVERY cred in the declared manifest can be overridden via CLI:
+
+```bash
+zflash --bake-cred gh-cli=ghp_xxx --bake-cred claude=@/path/to/claude-creds.json --bake-cred ssh-operator-pubkey=env:SSH_PUBKEY ...
+```
+
+- Non-interactive (no operator prompt loop)
+- Same `--bake-cred` arg shape as `zeta-creds-persist --bake-cred` (already supports literal / @file / env:VAR via B-0852.10 handlers)
+- For creds NOT supplied on the CLI: defer to device-flow at runtime (same as picker's "defer" option)
+- AI-callable: a peer agent (Otto / Alexa / Vera) can drive zflash with declarative arg list without sitting in an interactive loop
+
+### B-0852.3c — passphrase-source policy
+
+Both modes need passphrase resolution. Options preserved per default-to-both:
+
+- Interactive prompt (setup-time only; operator types at terminal)
+- `--passphrase-file <path>` (already supported by persist CLI)
+- `--passphrase-env <VAR>` (already supported by persist CLI)
+- Hardware-backed (Touch ID / YubiKey / etc.) — DEFERRED to later sub-row
+
+## Composes with substrate
+
+- **B-0852.1** (crypto) — encrypt to ESP
+- **B-0852.2a** (envelope) — wire format
+- **B-0852.2b** (persist + restore CLIs) — the actual binary this row wraps
+- **B-0852.5** (declarative manifest) — drives the loop iteration
+- **B-0852.10** (per-cred handlers) — value-source resolution (literal/@file/env:VAR)
+- **B-0852.4** (NixOS module) — runtime decrypt at boot consumes what this row produces at install
+- **B-0857** (install.sh universal entry) — composes at routing scope; picker fires at install-time across all environment routes per Turn 5 spectrum
+- **B-0833** (installer interactive-login-vs-baked-in-keys) — "defer to device-flow" branch of the picker
+- **B-0855** (self-register architectural fix) — fires AFTER cred-persistence completes; same ordering as the rest of Step 6.x
+
+## Substrate-inventory pass (per `.claude/rules/verify-existing-substrate-before-authoring.md`)
+
+Topic: cred-picker integration at install-time + zflash-time
+
+Searched surfaces:
+
+- `docs/backlog/` — B-0833 (installer interactive-login substrate) + B-0848 (cred-persistence parent) + B-0852.* family + B-0854.1 (install.sh inventory) — none cover the Step 6.77 picker integration specifically
+- `tools/installer/` — persist + restore CLIs ready (PR #5425); no picker wrapper yet
+- `full-ai-cluster/usb-nixos-installer/zeta-install.sh` — Step 6.95a invokes install.sh (B-0857.1 audit confirms); no Step 6.77 picker yet
+- `memory/` — no prior memory on Step 6.77 specifically
+
+Read top hits:
+
+- Operator's verbatim three messages 2026-05-27 establishing the split (above)
+- B-0852.2b PR #5425 (the CLIs this row consumes)
+- B-0852.10 PR #5418 (the handlers this row's value-source resolution composes with)
+- B-0854.1 PR #5420 (the inventory this row's Step 6.77 positioning composes with)
+
+Conclusion: no existing row covers Step 6.77 picker integration; this row fills the gap; composes cleanly with adjacent landed substrate.
+
+Authoring action: mint new sub-row B-0852.3 (next subdecimal after .2b in the B-0852.* family).
+
+## Why P1 not P2
+
+- Directly blocks operator's USB cred-persistence test (gap named explicitly by operator 2026-05-27 USB question)
+- All four upstream sub-rows (.1 / .2a / .2b / .5 / .10) merged; this is the operator-facing integration that unblocks empirical USB validation
+- Operator-named: "device-flow at setup, token at zflash" was the explicit operator framing in three messages on 2026-05-27
+- Bounded scope (M-effort): one new Step in zeta-install.sh + zflash CLI flag extension + passphrase-source policy
+
+## Sub-rows to file when implementing
+
+- **B-0852.3a** — Step 6.77 interactive picker in zeta-install.sh (consumes persist CLI)
+- **B-0852.3b** — zflash CLI override flags (per-cred non-interactive)
+- **B-0852.3c** — passphrase-source policy (interactive + file + env; hardware-backed deferred)
+- **B-0852.3d** — empirical USB test of the full picker → persist → restore → use chain (test on freshly-flashed USB)
+
+Order: 3a (picker) → 3c (passphrase) → 3b (zflash CLI) → 3d (empirical test). Each ships small + independent.
+
+## What this is NOT
+
+- NOT a replacement for B-0833 device-flow substrate (composes; "defer to device-flow" IS one branch of the picker)
+- NOT a replacement for B-0852.4 NixOS module (composes; this row produces the blob at install; .4 consumes it at boot)
+- NOT a hardware-token-only flow (operator framing explicitly says "human interactive at setup time")
+- NOT a Rule 0 violation (TS-first; the persist CLI is already .ts; the picker can be a .ts called from zeta-install.sh's existing install-graph carve-out at tools/setup/)
+
+## Composes with rules
+
+- `.claude/rules/holding-without-named-dependency-is-standing-by-failure.md` — filing this row IS counter-reset condition #3 ("file a candidate B-NNNN"); this row's filing closes the 100-tick brief-ack cascade caught by operator 2026-05-27 ("it keeps happening more than before")
+- `.claude/rules/no-directives.md` — operator authority over cred-persistence flow; picker preserves choice (bake / defer / skip)
+- `.claude/rules/non-coercion-invariant.md` HC-8 — operator authority over own creds; passphrase NEVER logged; required-cred write failure surfaces the failure rather than silently degrading
+- `.claude/rules/verify-existing-substrate-before-authoring.md` — substrate-inventory pass cited inline above
+
+## Full reasoning
+
+Operator 2026-05-27 verbatim three-message framing (preserved above). Filed 2026-05-27 in response to operator's USB-state question + operator's substrate-honest naming of the recurring brief-ack failure mode ("it keeps happening more than before"). Filing IS the substrate-honest counter-reset move per the rule the agent's been violating.