Agent runtimes & authentication

Auth reliability and convenience program

Status: Partially implemented — Phase 0 (new-tab overwrite fix) and Phase 1 (multi-company source folders) are shipped; Phase 2 and Phase 5 have shipped baseline pieces with real gaps remaining; Phases 3, 4, 6, and 7 are still open design proposals

This is the umbrella item for jackin authentication reliability: auth that works at first but fails later, silently, in ways that force the operator to interrupt their work. Each phase below is tracked as its own roadmap item; this page is the index and current-status summary across all of them. For the full failure-mode analysis, root-cause reasoning, and phase-sequencing rationale behind this program, see Auth reliability program — design rationale.

Shipped facts

Phase 0 — new-tab credential overwrite. Fixed. jackin-capsule's durable-agent-home first-seed gate stops later jackin-capsule new invocations from overwriting credentials the agent already refreshed in-container. See Auth overwrite on new tab.

Phase 1 — multi-company auth isolation. Fixed. The optional sync_source_dir field on AgentAuthConfig resolves through the workspace-role → workspace → global chain; the console Auth tab exposes a Source-folder row per sync-mode agent, validated against the selected agent's credential structure. See Agent Authentication → Choosing a sync source folder and Schema Versions.

Phase 2 — auth health baseline. Capsule exposes session-local usage/account status surfaces, launch records per-agent auth provisioning outcomes, jackin doctor has a coarse gh_auth check, and jackin config auth show prints global modes. The pre-launch credential probe, jackin auth status, and console Auth-tab health glyphs are not shipped. See Auth health and operator visibility.

Phase 5 — credential source baseline. EnvValue covers literals, host-env references, structured op:// refs, and on-demand delivery; jackin-exec resolves selected credentials through the host-side host.sock bridge rather than injecting them at launch. The general cross-consumer CredentialSource abstraction has not been started. See Credential source pattern.

Remaining work

  1. Phase 2 completion — pre-launch credential-health probe, jackin auth status CLI subcommand, and console Auth-tab health glyphs. See Auth health and operator visibility.
  2. Phase 3 — jackin daemon foundation — the long-running host process (lifecycle, install, control socket, log redaction) that Phases 4 and 7 depend on. Design proposal only, open design questions unresolved. See jackin daemon.
  3. Phase 4 — live bidirectional auth sync — propagate token rotation across host and running containers within seconds. Depends on Phase 3. See Live bidirectional auth sync.
  4. Phase 5 completion — the general CredentialSource abstraction spanning non-env consumers (command, OS secret store, file backends). See Credential source pattern.
  5. Phase 6 — credential exposure hardening — move remaining launch-time tokens off docker run -e, then opaque per-command handles, then a credential proxy. See Container credential exposure.
  6. Phase 7 — mid-session secret and host-action requests — TouchID/polkit-gated approval flow for agents that need a new credential or host action mid-session. Depends on Phase 3. See Host bridge — secrets and approved host actions.

On this page