Conversation
… (#838) (#279) * feat(installer): reorder — sign in + provision the client before Helm (#838) RFC-0001 §6.4 / #838: move CLI install + `tracebloc login` + `tracebloc client create` to run BEFORE the Helm install, so the minted credential + derived namespace feed the chart. A new Step 3 (provision_client) sits between create_cluster and install_client_helm. - scripts/lib/provision.sh (new): provision_client + _provisioning_preset. - Browser-auth path: install the CLI (now FATAL — it mints the credential, vs the old non-fatal post-Helm Step 5), `tracebloc login` (device flow), `client create --credential-file` -> source the 0600 file -> export TRACEBLOC_CLIENT_ID/PASSWORD/ TB_NAMESPACE into install_client_helm's existing non-interactive env contract. The credential is never printed; the transient file is removed after sourcing AND on any error/signal (install_cleanup backstop via _PROVISION_CRED_FILE) so a failed mint never leaves a secret-bearing file behind. - Adopt (re-run): no fresh credential — hand only TB_NAMESPACE and let install_client_helm reconcile the existing release from values.yaml. - DUAL-MODE preserved: TRACEBLOC_VALUES_FILE / pre-supplied TRACEBLOC_CLIENT_ID+ PASSWORD skip sign-in (still installs the CLI, non-fatal). Unattended installs use this path (device-flow login is interactive; an enroll-token login is a follow-up). - install-k8s.sh: source provision.sh (guarded for stale bootstraps); call provision_client before install_client_helm; drop the trailing non-fatal CLI install (now done in Step 3). install.sh: fetch provision.sh. - common.sh: renumber the print_roadmap steps to match (3 sign-in/provision, 4 install, 5 connect); install_cleanup removes the transient credential file on any exit. - Renumbered the step headers (provision=3, install=4, connect=5); dropped the step heading from install_tracebloc_cli (the caller owns it now). Tests: scripts/tests/provision.bats (8) — dual-mode skip (creds + values), mint hands all three env vars, adopt hands only namespace, fatal on missing CLI / failed login / no credential file, and a failed create leaves no credential file behind. install-cli + install-client-helm + common (install_cleanup) suites still green (the 2 pre-existing local-env failures — validate_config + _extract_yaml '' — fail on develop too, unrelated). shellcheck clean on provision.sh. Depends on cli `client create --credential-file` (cli#104, merged) + a CLI release that ships login+create; install-cli.sh fetches releases/latest. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(installer): harden #838 credential handling + step-numbering consistency Folds PR #279 review hardening into the provision-before-Helm reorder: - provision.sh: run `client create` under `umask 077` so the credential file lands 0600 even if a future CLI build regresses on its explicit chmod (defense in depth; cli#104 already sets 0600). - provision.sh: clear TRACEBLOC_CLIENT_ID/PASSWORD/TB_NAMESPACE/ADOPTED before sourcing the credential file. The mint case does not write ADOPTED, so a stale ADOPTED=1 in the environment would otherwise misroute a fresh mint into the adopt branch and drop the just-minted credential. Regression test added. - install-k8s.sh: trap SIGINT/SIGTERM -> exit so the EXIT-trap credential shred always runs on Ctrl-C; the brief mint->source window no longer risks leaving the 0600 secret on disk. - install-k8s.sh: fix leftover "Step 1/4"/"Step 2/4" headers to /5 (the step() calls already pass 5; the #838 renumber missed these two). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(installer): resolve PR #279 review — CLI-capability fallback + in-place namespace reconcile Addresses the two review comments on the provision-before-Helm reorder: - provision.sh (release-sequencing gate): probe the installed CLI for `login` + `client create` (cli#104) before taking the browser-auth path. The CLI is pulled from the latest RELEASE, which can lag this installer; if it's too old, fall back to the proven manual-credential path (install_client_helm prompts) instead of hard-failing on an unknown `tracebloc login`. Makes the reorder safe regardless of CLI-release timing — the browser flow auto-engages once the release lands. Regression test added. - install-client-helm.sh (duplicate-release on re-run): when the SAME client is already installed under a different namespace (e.g. an old installer's fixed `tracebloc` ns vs. the #838 minted slug), upgrade that release in place instead of forking a second one under the new namespace — a silent fork would double-book host capacity and orphan the original. Reuses the guard's existing_ns. Regression test added. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Asad Iqbal <asad.dsoft@gmail.com>
…ly-chain feat(installer): immutable-tag pin + signed sub-script manifest for the curl|bash bootstrap (RFC-0001 R8)
* fix: install the CLI on the stale-bootstrap path in install-k8s.sh Bugbot (promotion PR #284): CLI installation now runs only inside provision_client, but the orchestrator only calls it when provision.sh was fetched. A stale bootstrap that fetched install-cli.sh but not provision.sh completes without ever installing the CLI (unlike the old post-Helm Step 5). Add an elif fallback that calls install_tracebloc_cli (non-fatal) when provision_client is absent. - Stale bootstrap skips CLI install (scripts/install-k8s.sh:121) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * chore: regenerate scripts/manifest.sha256 for install-k8s.sh change The supply-chain manifest pins the digest of every script the bootstrap fetches; editing install-k8s.sh changed its hash. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: shujaat hasan <shujaathasan@shujaats-MacBook-Pro.local> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 311a950. Configure here.
saadqbal
left a comment
There was a problem hiding this comment.
Verified the promotion:
- The
E2E auth-proxy (squid)red was a flake, not a regression from this promotion —e2e-proxy.shis byte-identical on main/v1.8.0/develop, it's green on main and on #285, and §4 produced no CONNECT tunnel (a squid connect race). It cleared green on the re-run here. - Folded in #285 so #279's stale-bootstrap CLI-install gap (the Bugbot finding) ships fixed rather than as a follow-up.
Green apart from the advisory FR gate. Good to promote 👍
…#284) (#286) Second Bugbot finding on the develop→main promotion (#284). The one-client-per-machine guard in install_client_helm enumerated client-chart releases with `helm list -A -o json | jq`, falling back — when jq is absent — to reading values for only the minted TB_NAMESPACE. Post-#838 TB_NAMESPACE is the client slug, not the historical fixed `tracebloc` namespace, so on a jq-less host the fallback missed an existing `tracebloc` release and forked a SECOND helm release under the slug — double-booking the host, the exact fork the guard exists to prevent. jq is not a guaranteed prerequisite (preflight never checks or installs it; it is used nowhere else in the installer). Replace the jq path + single-namespace fallback with one jq-free enumeration across ALL namespaces: `helm list -A` + awk on the NAME/NAMESPACE columns, matching client-<ver> in the CHART column — the same jq-free parse _chart_version already uses. Removes the jq dependency and the fallback divergence that caused the bug. - install-client-helm.sh: jq-free `helm list -A | awk` enumeration. - manifest.sha256: regenerated for the changed script (the R8 bootstrap verifies each fetched sub-script against it). - install-client-helm.bats: the 3 guard tests now mock tabular `helm list` output (was JSON for the jq path); new regression test proves the different-namespace reconcile works with jq reported absent (fails on the old fallback, passes here). shellcheck clean; gen-manifest.sh --check passes; bats green (the one pre-existing _extract_yaml '' failure is a local macOS bash 3.2 quirk, green in CI, unrelated). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
saadqbal
left a comment
There was a problem hiding this comment.
Re-approving after the develop re-sync (my earlier approval was dismissed by the head change). Both Bugbot findings are now fixed and merged — #285 (stale-bootstrap CLI) and #286 (jq-free one-client guard) — and Bugbot's re-review on this head is clean. auth-proxy green, all CI green. FR cards advanced to Ready for prod. 👍

Release promotion:
develop→mainOpened ahead of the staging release week of Mon 2026-06-29 to start Bugbot review early and surface issues before the cutover. Head is
develop, so any PRs that merge in before the release will update this PR's head and re-trigger Bugbot automatically.Delta (2 commit(s) ahead of
main)Initial snapshot — will change as more lands on
develop.Files changed
Note
High Risk
Changes the most privileged install path (credential mint, Helm, verified downloads) and release signing; mistakes could block installs or weaken supply-chain guarantees until the first signed release is validated.
Overview
Hardens the
curl | bashbootstrap so sub-scripts are fetched only from immutablevX.Y.Ztags, checked againstmanifest.sha256, and the manifest is verified with cosign keyless before any privileged work runs; installs fail closed without cosign or a valid signature unlessTRACEBLOC_ALLOW_UNVERIFIED=1. Addsgen-manifest.sh, committedmanifest.sha256, ref/path guards, cosign bootstrap, and bats coverage ininstall-bootstrap.bats.Release and CI: a
sign-installer-manifestjob on chart release generates and signs the manifest, stampsinstall.shfor the tag (safe substitution), self-tests, and attaches installer + manifest assets; installer-tests runsgen-manifest.sh --checkand shellchecksgen-manifest.sh. Docs:docs/SUPPLY_CHAIN.md, README, anddocs/SECURITY.md(G8).Install flow (#838): new
provision.shruns Step 3 — CLI install, browser login,client create— before Helm so minted credentials and namespace feed the chart; dual-mode (env/values) unchanged.install-k8s.shadds guarded sourcing, INT/TERM traps, and cleanup of transient credential files; Helm step renumbering plus jq-freehelm listfor the one-client guard and in-place upgrade when the same client lives in another namespace.Reviewed by Cursor Bugbot for commit b403f4e. Bugbot is set up for automated code reviews on this repo. Configure here.