feat: CLI backend auth and same-account iroh auto-trust#1064
Draft
ital0 wants to merge 87 commits into
Draft
Conversation
…sessions, more providers
…' into italomenezes/thunderbolt-cli-auth
Semgrep Security ScanNo security issues found. |
PR Metrics
Updated Thu, 09 Jul 2026 19:21:43 GMT · run #2252 |
…olt-cli-mvp # Conflicts: # bun.lock # package.json # src/hooks/use-add-server-form.test.ts # src/hooks/use-mcp-sync.tsx # src/settings/mcp-servers.test.tsx # src/settings/mcp-servers.tsx
… silent frame loss
…' into italomenezes/thunderbolt-cli-auth # Conflicts: # cli/src/iroh/bridge.test.ts # cli/src/iroh/bridge.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 2 of the Thunderbolt CLI: backend auth + same-account iroh auto-trust, implementing the approved design in
docs/superpowers/specs/2026-07-03-cli-auth-same-account-trust-design.md. Stacked on #1032 (italomenezes/thunderbolt-cli-mvp).thunderbolt login— RFC 8628 device-authorization grant via Better Auth (deviceAuthorizationplugin): prints verification link + user code, best-effort terminal QR, polls for the signed bearer, stores it in the CLI config. PAT viaTHUNDERBOLT_TOKENenv (apiKeyplugin,x-api-keyauth) is the zero-human CI / self-host escape hatch./deviceapp route — approval page for the CLI login (mirrorsApproveDeviceDialog); requires a signed-in session, and theuser_codenow survives the login redirect (stash + replay).GET /devices/allowlist), caches it, and refreshes every 45s. The connection gate becomes: account allowlist OR the manualiroh allowfile (which stays, and remains the only path in Standalone mode).node_id, so the bridge's own id disappearing from a populated allowlist is the self-revocation signal).POST /devices/me/node-id, no canary) and registers the bridge as a device (device_type='bridge', reservedbridge-id namespace). The canary-gated attestation route is unchanged.device_typesynced column ondevices+ bridge badge in device settings.Deploy notes
device_typesynced-column ordering: the backend column commit (b6f1cb65) is first and separable. Run migration0022and refresh the PowerSync Cloud dashboard rules before relying ondevice_typecross-device; until then it stays null cross-device and reads as a normal device (null-tolerant, so same-PR deploy is safe). Migrations0022/0023have theirbackend/drizzle/meta/_journal.jsonentries.SELECT *— noconfig.yamlchange needed.Beyond-spec hardening (disclosed)
isSecureCloudUrlHTTPS-or-loopback policy on the CLI cloud URL (login + bridge), aligned with RFC 8628 §3.1.device_type: reservedbridge-id namespace and a PowerSync upload deny so clients can't self-label a device a bridge.Review
Two-axis review (spec compliance + repo standards) plus a simplify-and-validate pass ran on this branch; the gaps found were fixed here: PAT now works end-to-end (env credential reaches the bridge with
x-api-key), D8 self-revocation teardown is wired,user_codesurvives the login redirect,/deviceis lazy-loaded, and sizing/comment nits are aligned with CLAUDE.md.Testing
--rerun-each 5; device-grant, self-enroll (own-id only), and allowlist (trusted + non-revoked, account-scoped) routes covered perbackend/docs/testing.md.--rerun-each 5;/deviceapproval logic and transparent-enrollment triggers covered perdocs/development/testing.md.bun run check(type-check, eslint, prettier, license headers) clean.🤖 Generated with Claude Code