Auth reliability and convenience program
Status: Partially implemented — Phase 0 (new-tab overwrite fix) and Phase 1 (multi-company source folders) are shipped; Phase 2 and Phase 5 have shipped baseline pieces with real gaps remaining; Phases 3, 4, 6, and 7 are still open design proposals
This is the umbrella item for jackin❯ authentication reliability: auth that works at first but fails later, silently, in ways that force the operator to interrupt their work. Each phase below is tracked as its own roadmap item; this page is the index and current-status summary across all of them. For the full failure-mode analysis, root-cause reasoning, and phase-sequencing rationale behind this program, see Auth reliability program — design rationale.
Shipped facts
Phase 0 — new-tab credential overwrite. Fixed. jackin-capsule's durable-agent-home first-seed gate stops later jackin-capsule new invocations from overwriting credentials the agent already refreshed in-container. See Auth overwrite on new tab.
Phase 1 — multi-company auth isolation. Fixed. The optional sync_source_dir field on AgentAuthConfig resolves through the workspace-role → workspace → global chain; the console Auth tab exposes a Source-folder row per sync-mode agent, validated against the selected agent's credential structure. See Agent Authentication → Choosing a sync source folder and Schema Versions.
Phase 2 — auth health baseline. Capsule exposes session-local usage/account status surfaces, launch records per-agent auth provisioning outcomes, jackin doctor has a coarse gh_auth check, and jackin config auth show prints global modes. The pre-launch credential probe, jackin auth status, and console Auth-tab health glyphs are not shipped. See Auth health and operator visibility.
Phase 5 — credential source baseline. EnvValue covers literals, host-env references, structured op:// refs, and on-demand delivery; jackin-exec resolves selected credentials through the host-side host.sock bridge rather than injecting them at launch. The general cross-consumer CredentialSource abstraction has not been started. See Credential source pattern.
Remaining work
- Phase 2 completion — pre-launch credential-health probe,
jackin auth statusCLI subcommand, and console Auth-tab health glyphs. See Auth health and operator visibility. - Phase 3 — jackin❯ daemon foundation — the long-running host process (lifecycle, install, control socket, log redaction) that Phases 4 and 7 depend on. Design proposal only, open design questions unresolved. See jackin❯ daemon.
- Phase 4 — live bidirectional auth sync — propagate token rotation across host and running containers within seconds. Depends on Phase 3. See Live bidirectional auth sync.
- Phase 5 completion — the general
CredentialSourceabstraction spanning non-env consumers (command, OS secret store, file backends). See Credential source pattern. - Phase 6 — credential exposure hardening — move remaining launch-time tokens off
docker run -e, then opaque per-command handles, then a credential proxy. See Container credential exposure. - Phase 7 — mid-session secret and host-action requests — TouchID/polkit-gated approval flow for agents that need a new credential or host action mid-session. Depends on Phase 3. See Host bridge — secrets and approved host actions.
Related work
- Auth overwrite on new tab — Phase 0.
- Auth health and operator visibility — Phase 2.
- Workspace Claude token setup — Claude OAuth-token setup; shares the Phase 2 validity-probe integration point.
- GitHub CLI authentication strategy — GitHub-specific auth modes; shares the Phase 2 pre-flight and Phase 4 bidirectional sync.
- jackin❯ daemon — Phase 3.
- Live bidirectional auth sync — Phase 4.
- Credential source pattern — Phase 5.
- Container credential exposure — Phase 6.
- Host bridge — secrets and approved host actions — Phase 7.
- Reliable Claude authentication strategy — historical design context for the current
sync/token/ignoremode set. - Research: Auth reliability program — design rationale — the seven failure modes, why they share one root cause, phase-sequencing rationale, design constraints, and target end state.