Skip to content

fix(init): collect reviewer secrets in reviewer flow #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rianjs merged 4 commits into from
Jun 18, 2026
Merged

fix(init): collect reviewer secrets in reviewer flow #350

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0c21cf4
fix(init): collect reviewer secrets in reviewer flow
rianjs Jun 18, 2026
7275b20
test(init): cover reviewer credential decision changes
rianjs Jun 18, 2026
f6efe1e
test(init): cover reviewer credential prompt and back paths
rianjs Jun 18, 2026
3fbf859
fix(init): preserve reviewer staging after credential back
rianjs Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions docs/development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,13 @@ make clean # remove build artifacts

## Interactive Init Notes

`cr init` interactive mode only collects non-secret configuration. When the
selected LLM auth mode is `api_key`, the wizard saves the non-secret profile
shape and prints a follow-up `cr set-credential` command instead of collecting
the API key inline.
`cr init` interactive mode keeps all writes draft-local until the user commits
staged changes. Reviewer setup may collect PAT or GitHub App reviewer secrets
inside the reviewer-entity flow, but those values are only written to the
credential store during **Commit staged changes and exit**. When the selected
LLM auth mode is `api_key`, the wizard saves the non-secret profile shape and
prints a follow-up `cr set-credential` command instead of collecting the API key
inline.

Interactive `git.host` edits now route through the repository-route stage when
the target profile already participates in `repository_profiles` routing. The
Expand Down
24 changes: 14 additions & 10 deletions docs/init-ux-contract.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,19 +144,23 @@ Until the user chooses **Commit staged changes and exit**:

@monit-reviewer monit-reviewer Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Low (harness-engineering:harness-knowledge-reviewer): The updated contract introduces subflow credential collection but doesn't document the session-level invariant that defer/skip-optional decisions are memoized and filtered when reviewer config changes. A short note in the Draft-Local Reuse Rules section stating that interim credential decisions are session-scoped and discarded when their associated credential ref changes would make this invariant explicit for future contributors adding new subflow types.

Reply to this thread when addressed.

Interactive `init` must offer both:

- **Commit staged changes and exit**: validate the draft, collect or defer
required secrets, then write config and keyring state in the defined
final commit order
- **Commit staged changes and exit**: validate the draft, collect or defer any
still-unhandled required secrets, then write config and keyring state in the
defined final commit order
- **Discard staged changes and exit**: discard the draft and leave both config and
keyring untouched

Credential collection belongs near final commit, after the user has assembled the
profile shape well enough to understand why each secret is needed.

If the user cancels during credential collection after choosing **Commit staged
changes and exit**, any pending secret values remain draft-only and the session
returns to a no-write state. Until final commit begins, cancellation must still
leave both config and keyring untouched.
Credential values may be collected inside the relevant subflow once the user has
enough local context to understand why each secret is needed. For example,
reviewer-entity setup may collect PAT or GitHub App reviewer secrets immediately
after the reviewer settings are staged. Those values remain draft-local until
commit; final commit still handles untouched or deferred Git, reviewer, and LLM
credential refs.

If the user cancels during credential collection, whether from a subflow or after
choosing **Commit staged changes and exit**, any pending secret values remain
draft-only and the session returns to a no-write state. Until final commit
begins, cancellation must still leave both config and keyring untouched.

## Draft-Local Reuse Rules

Expand Down
Loading
Loading